[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Comparisons of Web Application Firewalls

From: bugtraq@xxxxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Comparisons of Web Application Firewalls
Date: Thu, 3 Jul 2008 12:23:06 -0400 (EDT)
One of the most important things to understand when evaluating an application firewall is how it will be used, 
when it can't be used, and how it could be used. I published an entry explaining my current views on app firewalls
and when (at least in my opinion) they can be useful. 

My current stance on Web Application Firewalls 
http://www.cgisecurity.com/2008/06/10

Regards,
- Robert
http://www.cgisecurity.com/
http://www.webappsec.org/
http://www.qasec.com/


> 
> ------=_NextPart_000_000C_01C8DD05.4D53C650
> Content-Type: text/plain;
> 	charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> 
> Ray,
> 
> You'll find some reviews/comparisons of WAFs in industry magazines, some of
> which people have already given you the URLs for.
> 
>  
> 
> However, your best bet is to take these reviews with a grain of salt, talk
> to some people in the industry to find out which WAFs people seem to think
> are best, then bring in a couple of the most promising sounding products in
> for an evaluation to see which one works best for your web applications.
> The Web Application Firewall Evaluation Criteria should really help you
> determine what you should be looking at during the evaluation:
> http://www.webappsec.org/projects/wafec/ .
> 
>  
> 
> Keep in mind that the reviews you read in magazines are not going to be too
> hard on any of the products because the magazines and article writers don't
> want to burn bridges with any of the vendors.  So some products will end up
> with more positive reviews than they deserve.  That's why you really need to
> test these products out in your environment and decide for yourself what
> works best for you and adds the most value.
> 
>  
> 
> Brian
> 
>  
> 
>   _____  
> 
> From: Ray Foo [mailto:gunblad3@xxxxxxxxx] 
> Sent: Wednesday, July 02, 2008 10:40 PM
> To: websecurity@xxxxxxxxxxxxx; webappsec @OWASP
> Subject: [WEB SECURITY] Comparisons of Web Application Firewalls
> 
>  
> 
> Hi guys,
> 
> Does anyone know where I can find comparisons of WAFs?  I've been Googling
> around for some time already, but somehow have not been able to find such
> information.
> 
> Any help would be appreciated, thanks in advance!
> 
> Regards,
> Ray
> 
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.135 / Virus Database: 270.4.4/1531 - Release Date: 7/2/2008
> 7:02 PM
> 
> 
> ------=_NextPart_000_000C_01C8DD05.4D53C650
> Content-Type: text/html;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> <html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
> xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns=3D"http://www.w3.org/TR/REC-html40";>
> 
> <head>
> <meta http-equiv=3DContent-Type content=3D"text/html; =
> charset=3Dus-ascii">
> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
> <!--[if !mso]>
> <style>
> v\:* {behavior:url(#default#VML);}
> o\:* {behavior:url(#default#VML);}
> w\:* {behavior:url(#default#VML);}
> .shape {behavior:url(#default#VML);}
> </style>
> <![endif]-->
> <style>
> <!--
>  /* Font Definitions */
>  @font-face
> 	{font-family:Tahoma;
> 	panose-1:2 11 6 4 3 5 4 4 2 4;}
>  /* Style Definitions */
>  p.MsoNormal, li.MsoNormal, div.MsoNormal
> 	{margin:0in;
> 	margin-bottom:.0001pt;
> 	font-size:12.0pt;
> 	font-family:"Times New Roman";}
> a:link, span.MsoHyperlink
> 	{color:blue;
> 	text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> 	{color:purple;
> 	text-decoration:underline;}
> p
> 	{mso-margin-top-alt:auto;
> 	margin-right:0in;
> 	mso-margin-bottom-alt:auto;
> 	margin-left:0in;
> 	font-size:12.0pt;
> 	font-family:"Times New Roman";}
> span.EmailStyle18
> 	{mso-style-type:personal-reply;
> 	font-family:Arial;
> 	color:navy;}
> @page Section1
> 	{size:8.5in 11.0in;
> 	margin:1.0in 1.25in 1.0in 1.25in;}
> div.Section1
> 	{page:Section1;}
> -->
> </style>
> <!--[if gte mso 9]><xml>
>  <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
> </xml><![endif]--><!--[if gte mso 9]><xml>
>  <o:shapelayout v:ext=3D"edit">
>   <o:idmap v:ext=3D"edit" data=3D"1" />
>  </o:shapelayout></xml><![endif]-->
> </head>
> 
> <body lang=3DEN-US link=3Dblue vlink=3Dpurple>
> 
> <div class=3DSection1>
> 
> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
> style=3D'font-size:
> 10.0pt;font-family:Arial;color:navy'>Ray,<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
> style=3D'font-size:
> 10.0pt;font-family:Arial;color:navy'>You&#8217;ll find some =
> reviews/comparisons
> of WAFs in industry magazines, some of which people have already given =
> you the
> URLs for.<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
> style=3D'font-size:
> 10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
> style=3D'font-size:
> 10.0pt;font-family:Arial;color:navy'>However, your best bet is to take =
> these
> reviews with a grain of salt, talk to some people in the industry to =
> find out
> which WAFs people seem to think are best, then bring in a couple of the =
> most
> promising sounding products in for an evaluation to see which one works =
> best
> for your web applications. &nbsp;The Web Application Firewall Evaluation
> Criteria should really help you determine what you should be looking at =
> during
> the evaluation:&nbsp; </span></font><a
> href=3D"http://www.webappsec.org/projects/wafec/";
> title=3D"blocked::http://www.webappsec.org/projects/wafec/";>http://www.we=
> bappsec.org/projects/wafec/</a>
> .<o:p></o:p></p>
> 
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'><o:p>&nbsp;</o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'>Keep in mind that the reviews you read in magazines are not =
> going to be
> too hard on any of the products because the magazines and article =
> writers don&#8217;t
> want to burn bridges with any of the vendors. &nbsp;So some products =
> will end
> up with more positive reviews than they deserve. &nbsp;That&#8217;s why =
> you
> really need to test these products out in your environment and decide =
> for
> yourself what works best for you and adds the most =
> value.<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'><o:p>&nbsp;</o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'>Brian</span></font><font size=3D2 color=3Dnavy =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial;color:navy'><o:p></o:p></span=
> ></font></p>
> 
> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
> style=3D'font-size:
> 10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>
> 
> <div>
> 
> <div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
> size=3D3
> face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>
> 
> <hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>
> 
> </span></font></div>
> 
> <p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
> style=3D'font-size:10.0pt;
> font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
> size=3D2
> face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> Ray =
> Foo
> [mailto:gunblad3@xxxxxxxxx] <br>
> <b><span style=3D'font-weight:bold'>Sent:</span></b> Wednesday, July 02, =
> 2008
> 10:40 PM<br>
> <b><span style=3D'font-weight:bold'>To:</span></b> =
> websecurity@xxxxxxxxxxxxx;
> webappsec @OWASP<br>
> <b><span style=3D'font-weight:bold'>Subject:</span></b> [WEB SECURITY]
> Comparisons of Web Application Firewalls</span></font><o:p></o:p></p>
> 
> </div>
> 
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'><o:p>&nbsp;</o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'>Hi guys,<br>
> <br>
> Does anyone know where I can find comparisons of WAFs?&nbsp; I've been =
> Googling
> around for some time already, but somehow have not been able to find =
> such
> information.<br>
> <br>
> Any help would be appreciated, thanks in advance!<br>
> <br>
> Regards,<br>
> Ray<o:p></o:p></span></font></p>
> 
> <p><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;font-family:Arial'>No
> virus found in this incoming message.<br>
> Checked by AVG - http://www.avg.com<br>
> Version: 8.0.135 / Virus Database: 270.4.4/1531 - Release Date: 7/2/2008 =
> 7:02
> PM</span></font><o:p></o:p></p>
> 
> </div>
> 
> </body>
> 
> </html>
> 
> ------=_NextPart_000_000C_01C8DD05.4D53C650--
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
References:
- RE: [WEB SECURITY] Comparisons of Web Application Firewalls
  - From: Brian Shura
Prev by Date: RE: [WEB SECURITY] Comparisons of Web Application Firewalls
Next by Date: [WEB SECURITY] Re: [Webappsec] Comparisons of Web Application Firewalls
Previous by thread: RE: [WEB SECURITY] Comparisons of Web Application Firewalls
Next by thread: Re: [WEB SECURITY] thoughts on WAF deployment options?
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site