[WEB SECURITY] Re: [Webappsec] Comparisons of Web Application Firewalls

["Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>]

I don't want to start a flame war here - but there is not a single,
competent review of WAFs for public consumption as of today.

The quality of WAFs varies greatly. Few actually provide all
the features they claim, but most analysts are not experienced
enough (yet) to evaluate the intricacies of these features.

Several of my smartest clients have benchmarked the things
recently, and found that with consistency they all crash, they
all have weaker attack vector detection than most realize,
and auto-learning engines suck.

Simple double-encoding will defeat most WAFs, even though
they all claim they canonicalize data or at least drop "double
encoded" strings (they don't, at least, effectively enough).

I have yet to read a report breaking down the real world
implementation problems. They talk instead about vapor-
ware features like integrations with all the various desktop
source and runtime scanning widgets.

I'll pick on Imperva briefly -- I have been able to slip encoded
strings through SecureSphere for 4+ years now, and their
auto-learning also doesn't do much for canonicalization issues.
(The only reason I used to recommend them was for their
DB profiling, but today I restrain my recommendations)

Imperva hasn't improved things I told them about 4 years
ago, while instead touting marketing features that don't work.
This has lead them to lose possibly their largest account
to a competing WAF with a targeted vuln-remediation approach.

I think WAFs have a lot of potential properly used, but
you won't find a review covering using them for targeted
remediation (which I believe is the correct use today).

As for the rest, I am cynical (for good reason) about
the marketing messages and value of comparison
reports you read. They just don't hold up with real
world experiences.

The only answer right now is:

Put them in front of your own environments and
see if they work. Do they crash? Do they create
latency? Can they detect real attacks? Can they
block attacks without breaking your application?

Have someone experienced test your application
and see if the thing can actually block attack vectors
it claims to detect, or protect abuses targeting real
weaknesses like insufficient authorization.

Anything less is armchair quarterbacking, IMO.

YMMV.

-- 
-- 
Arian J. Evans.
Software. Security. Stuff.



On Thu, Jul 3, 2008 at 6:25 AM, Ryan Barnett <rcbarnett@xxxxxxxxx> wrote:
> If you want to compare WAF products yourself, then the WASC Web Application
> Firewall Evaluation Criteria (WAFEC) provides a framework -
> http://www.webappsec.org/projects/wafec/.  Btw - v2.0 is in the works.
>
> As for industry bake-offs, I believe that the Information Security WAF
> review from March 2008 is the most recent -
>
> Comparative Product Review: Six Web Application Firewalls
> http://searchSecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1303838,00.html
> by: Sandra Kay Miller
> Issue: Mar 2008
>
> --
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Application Security
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
>
>
> On Wed, Jul 2, 2008 at 11:39 PM, Ray Foo <gunblad3@xxxxxxxxx> wrote:
>>
>> Hi guys,
>>
>> Does anyone know where I can find comparisons of WAFs?  I've been Googling
>> around for some time already, but somehow have not been able to find such
>> information.
>>
>> Any help would be appreciated, thanks in advance!
>>
>> Regards,
>> Ray

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA