Re: [fw-wiz] XML firewalls (WAF)

After a reply to a previous post I was clued in on XML vulnerabilities
with web applications. Off I went to do more reading when I
discovered WAF. >From what I read, the type of protection afforded by
a WAF will address some portion of the XML vulnerabilities for both
internal as well as externally facing web applications. Now I'm left
wondering which web based applications actually use XML or other
mechanisms (SOAP) that are at risk. I have a big MS SharePoint
implementation that I'm particularly concerned about.

Is there a way short of calling the vendors to see if they present the
risk that WAF's allegedly help protect against?

There's a great paper and slide deck on selecting a WAF for your application

If I were looking for a way to protect SOAP services, I would start by
implementing WS-Security for mutual authentication. If I were going to
serve a large B2B partner count, or my services were going to be part of
Internet-facing web applications, I would look at implementing a positive
security model WAF that could parse XML. SOAP is easy enough to do with a
positive model because it should be small, similarly formatted requests and
responses using known tags and input formats. That is, the rules your WAF
will need to enforce are already part of the service's design.


firewall-wizards mailing list

Relevant Pages

  • Re: [fw-wiz] XML firewalls (WAF)
    ... Off I went to do more reading when I discovered WAF. ... facing web applications. ... the problem is that http is being used as a network layer, so just like you would not want to allow TCP everywhere without restriction you really shouldn't allow http everywhere without restriction. ... for some reason many people have trouble understanding this concept, but what it really boils down to is that when you implement tunneling, you turn the layer that you are using for tunneling into your transport layer, and every piece of protection that you would normally put above the transport layer needs to be implemented again above the tunneling. ...
  • Re: Java framework/portal
    ... > For an intranet, I want to put some Java/Struts web applications, Xsql ... It has a feature called Agents that allows to protect pages on other ... on other servers in the portal. ...