web application firewalls: panel discussion · 2/22/2006 ·
TRANSCRIPT
![Page 1: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/1.jpg)
Copyright © 2004 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
http://www.owasp.org
Web Application Firewalls:
Panel Discussion
Sebastien Deleersnyder
CISSP
Feb, 2006
![Page 2: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/2.jpg)
OWASP 2
Agenda
<Panel Introduction<WAF Primer<Panel Discussion
![Page 3: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/3.jpg)
OWASP 3
Agenda
<Panel Introduction<WAF Primer <Panel Discussion
![Page 4: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/4.jpg)
OWASP 4
Panel Introduction
<Philippe Bogaerts, BeeWare <Jaak Cuppens, F5 Networks <Tim Groenwals, Agfa Gevaert <Lieven Desmet, K.U.Leuven<David Van der Linden, ING
![Page 5: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/5.jpg)
OWASP 5
Agenda
<Introduction<WAF Primer<Panel Discussion
![Page 6: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/6.jpg)
OWASP 6
Network Firewalls Do Not Work
Firewall
Port 80 (443)
HTTP(S) Traffic
WebClient
WebServer
Application
Application
DatabaseServer
![Page 7: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/7.jpg)
OWASP 7
Enter Web Application Firewall Era
<HW/SW that mitigates web application vulnerabilities:4Invalidated Input4Parameter tampering4Injection Flaws4…
![Page 8: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/8.jpg)
OWASP 8
Web Application Firewalls
<They understand HTTP/HTML very well<They work after traffic is decrypted, or can
otherwise terminate SSL<Prevention is possible
![Page 9: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/9.jpg)
OWASP 9
Topologies
<Network-based:4Protects any web server4Works with many servers at once
<Web server-based:4Closer to the application4Limited by the web server API
![Page 10: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/10.jpg)
OWASP 10
WAF functionality
<Rule-based:4Uses rules to look for known vulnerabilities4Or rules to look for classes of attack4Rely on rule databases
<Anomaly-based:4Attempts to figure out what normal operation means
![Page 11: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/11.jpg)
OWASP 11
WAF Protection Strategies
<Negative security model:4Deny what might be dangerous.4Do you always know what is dangerous?
<Positive security model:4Allow what is known to be safe.4Positive security model is better.
![Page 12: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/12.jpg)
OWASP 12
Vendors
<MOD-Security<Beeware IntelliWall<Citrix NetScaler
Application Firewall (Teros)
<DenyAll rWeb<F5 TrafficShield
(Magnifire)< Imperva SecureSphere<Netcontinuum<Breach BreachGate
WebDefend<…
<eEye SecureIIS<Microsoft URLScan
WAF?<CheckPoint Application
Intelligence?<MS ISA Server?
Dead:<Kavado InterDo<Watchfire AppShield
(Sanctum)<Ubizen DMZShield
![Page 13: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/13.jpg)
OWASP 13
Agenda
<Introduction<WAF Primer<Panel Discussion
![Page 14: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/14.jpg)
OWASP 14
How mature are WAFs?
![Page 15: Web Application Firewalls: Panel Discussion · 2/22/2006 ·](https://reader033.vdocuments.net/reader033/viewer/2022052009/601e1f0ff73bbb42a63bdf46/html5/thumbnails/15.jpg)
OWASP 15
Panel Discussion
<What do WAFs protect you from? What not?
<Where do you position WAFs in your architecture?
<What WAF functionality do you really need?
<How to reduce TCO?<Who administrates a WAF within the
organisation?