Re: [fw-wiz] XML firewalls (WAF)
- From: "Paul Melson" <pmelson@xxxxxxxxx>
- Date: Tue, 12 May 2009 13:26:08 -0400
After a reply to a previous post I was clued in on XML vulnerabilitiesimplementation that I'm particularly concerned about.
with web applications. Off I went to do more reading when I
discovered WAF. >From what I read, the type of protection afforded by
a WAF will address some portion of the XML vulnerabilities for both
internal as well as externally facing web applications. Now I'm left
wondering which web based applications actually use XML or other
mechanisms (SOAP) that are at risk. I have a big MS SharePoint
Is there a way short of calling the vendors to see if they present the
risk that WAF's allegedly help protect against?
There's a great paper and slide deck on selecting a WAF for your application
at webappsec.org:
http://www.webappsec.org/projects/wafec/
If I were looking for a way to protect SOAP services, I would start by
implementing WS-Security for mutual authentication. If I were going to
serve a large B2B partner count, or my services were going to be part of
Internet-facing web applications, I would look at implementing a positive
security model WAF that could parse XML. SOAP is easy enough to do with a
positive model because it should be small, similarly formatted requests and
responses using known tags and input formats. That is, the rules your WAF
will need to enforce are already part of the service's design.
PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- [fw-wiz] XML firewalls (WAF)
- From: Chris Hughes
- [fw-wiz] XML firewalls (WAF)
- Prev by Date: Re: [fw-wiz] Handling large log files
- Next by Date: [fw-wiz] Cisco PIX - "Allow inbound IPsec sessions to bypass interface access lists"
- Previous by thread: [fw-wiz] XML firewalls (WAF)
- Next by thread: Re: [fw-wiz] XML firewalls (WAF)
- Index(es):
Relevant Pages
|
