Re: [fw-wiz] XML firewalls (WAF)



On Thu, 7 May 2009, Chris Hughes wrote:

After a reply to a previous post I was clued in on XML vulnerabilities with
web applications. Off I went to do more reading when I discovered WAF.
From what I read, the type of protection afforded by a WAF will address some
portion of the XML vulnerabilities for both internal as well as externally
facing web applications. Now I'm left wondering which web based
applications actually use XML or other mechanisms (SOAP) that are at risk.
I have a big MS SharePoint implementation that I'm particularly concerned
about.



Is there a way short of calling the vendors to see if they present the risk
that WAF's allegedly help protect against?

this is similar to asking what applications have vunerabbilities that regular firewalls could protect against.

most of the time if the application people knew they would fix the flaws

the problem is that http is being used as a network layer, so just like you would not want to allow TCP everywhere without restriction you really shouldn't allow http everywhere without restriction.

for some reason many people have trouble understanding this concept, but what it really boils down to is that when you implement tunneling, you turn the layer that you are using for tunneling into your transport layer, and every piece of protection that you would normally put above the transport layer needs to be implemented again above the tunneling.

so even if you have a top-notch firewall that does application layer checks of the HTTP traffic, as soon as you start tunneling your application over it you need to treat it as no better than a packet filtering firewall (controlling the source and destination)



different WAF devices do different things, and on top of the device capabilities, how good they can possibly be depends on how well you can define (or understand) the legitimate traffic that you want to have go through it.

if you have documentation of exactly what all your legitimate requests look like, you can gain a lot of protection by having the WAF enforce these restrictions (in theory this will add zero security because the application already did a perfect job of checking it's input. however in the real world this can be a significant win)

however, if you can't identify what legitimate traffic looks like, you will have serious problems getting much benifit from a WAF. it doesn't mean that you can't get any benifit, there are WAFs that try to watch the traffic and guess what's 'normal' to configure themselves, but don't fall for the trap of assuming that such devices aren't going to require understanding the application (and tweaking the configuration) to get much use out of them.

David Lang
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] XML firewalls (WAF)
    ... discovered WAF. ... internal as well as externally facing web applications. ... If I were looking for a way to protect SOAP services, ...
    (Firewall-Wizards)
  • Re: [fw-wiz] XML firewalls (WAF)
    ... the problem is that http is being used as a network layer, ... every piece of protection that you would normally put above the transport ... so even if you have a top-notch firewall that does application layer checks ... different WAF devices do different things, and on top of the device ...
    (Firewall-Wizards)