[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Re: [Webappsec] Comparisons of Web Application Firewalls
- From: Ory Segal <SEGALORY@xxxxxxxxxx>
- Subject: Re: [WEB SECURITY] Re: [Webappsec] Comparisons of Web Application Firewalls
- Date: Thu, 3 Jul 2008 21:33:46 +0300
--=_alternative 00660AFDC225747B_=
Content-Type: text/plain; charset="US-ASCII"
Hey,
I have a soft spot for WAFs, so I will not go into bashing/praising mode.
What I do want to say is that I am simply amazed by the fact that no
serious public WAF evaluation has been published (at least not to my
knowing). I've seen great evaluation done for scanners, but not for WAFs.
Weird...
-Ory
From:
"Arian J. Evans" <arian.evans@anachronic.com>
To:
"Ray Foo" <gunblad3@gmail.com>, "webappsec @OWASP"
<webappsec@lists.owasp.org>, websecurity@webappsec.org
Date:
03/07/2008 21:12
Subject:
[WEB SECURITY] Re: [Webappsec] Comparisons of Web Application Firewalls
I don't want to start a flame war here - but there is not a single,
competent review of WAFs for public consumption as of today.
The quality of WAFs varies greatly. Few actually provide all
the features they claim, but most analysts are not experienced
enough (yet) to evaluate the intricacies of these features.
Several of my smartest clients have benchmarked the things
recently, and found that with consistency they all crash, they
all have weaker attack vector detection than most realize,
and auto-learning engines suck.
Simple double-encoding will defeat most WAFs, even though
they all claim they canonicalize data or at least drop "double
encoded" strings (they don't, at least, effectively enough).
I have yet to read a report breaking down the real world
implementation problems. They talk instead about vapor-
ware features like integrations with all the various desktop
source and runtime scanning widgets.
I'll pick on Imperva briefly -- I have been able to slip encoded
strings through SecureSphere for 4+ years now, and their
auto-learning also doesn't do much for canonicalization issues.
(The only reason I used to recommend them was for their
DB profiling, but today I restrain my recommendations)
Imperva hasn't improved things I told them about 4 years
ago, while instead touting marketing features that don't work.
This has lead them to lose possibly their largest account
to a competing WAF with a targeted vuln-remediation approach.
I think WAFs have a lot of potential properly used, but
you won't find a review covering using them for targeted
remediation (which I believe is the correct use today).
As for the rest, I am cynical (for good reason) about
the marketing messages and value of comparison
reports you read. They just don't hold up with real
world experiences.
The only answer right now is:
Put them in front of your own environments and
see if they work. Do they crash? Do they create
latency? Can they detect real attacks? Can they
block attacks without breaking your application?
Have someone experienced test your application
and see if the thing can actually block attack vectors
it claims to detect, or protect abuses targeting real
weaknesses like insufficient authorization.
Anything less is armchair quarterbacking, IMO.
YMMV.
--
--
Arian J. Evans.
Software. Security. Stuff.
On Thu, Jul 3, 2008 at 6:25 AM, Ryan Barnett <rcbarnett@gmail.com> wrote:
> If you want to compare WAF products yourself, then the WASC Web
Application
> Firewall Evaluation Criteria (WAFEC) provides a framework -
> http://www.webappsec.org/projects/wafec/. Btw - v2.0 is in the works.
>
> As for industry bake-offs, I believe that the Information Security WAF
> review from March 2008 is the most recent -
>
> Comparative Product Review: Six Web Application Firewalls
>
http://searchSecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1303838,00.html
> by: Sandra Kay Miller
> Issue: Mar 2008
>
> --
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Application Security
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
>
>
> On Wed, Jul 2, 2008 at 11:39 PM, Ray Foo <gunblad3@gmail.com> wrote:
>>
>> Hi guys,
>>
>> Does anyone know where I can find comparisons of WAFs? I've been
Googling
>> around for some time already, but somehow have not been able to find
such
>> information.
>>
>> Any help would be appreciated, thanks in advance!
>>
>> Regards,
>> Ray
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
--=_alternative 00660AFDC225747B_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">Hey,</font>
<br>
<br><font size=2 face="sans-serif">I have a soft spot for WAFs, so I will
not go into bashing/praising mode. What I do want to say is that I am simply
amazed by the fact that no serious public WAF evaluation has been published
(at least not to my knowing). I've seen great evaluation done for scanners,
but not for WAFs. Weird...</font>
<br>
<br><font size=2 face="sans-serif">-Ory</font>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">From:</font>
<td><font size=1 face="sans-serif">"Arian J. Evans" <arian.evans@anachronic.com></font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font>
<td><font size=1 face="sans-serif">"Ray Foo" <gunblad3@gmail.com>,
"webappsec @OWASP" <webappsec@lists.owasp.org>, websecurity@webappsec.org</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font>
<td><font size=1 face="sans-serif">03/07/2008 21:12</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font>
<td><font size=1 face="sans-serif">[WEB SECURITY] Re: [Webappsec] Comparisons
of Web Application Firewalls</font></table>
<br>
<hr noshade>
<br>
<br>
<br><tt><font size=2>I don't want to start a flame war here - but there
is not a single,<br>
competent review of WAFs for public consumption as of today.<br>
<br>
The quality of WAFs varies greatly. Few actually provide all<br>
the features they claim, but most analysts are not experienced<br>
enough (yet) to evaluate the intricacies of these features.<br>
<br>
Several of my smartest clients have benchmarked the things<br>
recently, and found that with consistency they all crash, they<br>
all have weaker attack vector detection than most realize,<br>
and auto-learning engines suck.<br>
<br>
Simple double-encoding will defeat most WAFs, even though<br>
they all claim they canonicalize data or at least drop "double<br>
encoded" strings (they don't, at least, effectively enough).<br>
<br>
I have yet to read a report breaking down the real world<br>
implementation problems. They talk instead about vapor-<br>
ware features like integrations with all the various desktop<br>
source and runtime scanning widgets.<br>
<br>
I'll pick on Imperva briefly -- I have been able to slip encoded<br>
strings through SecureSphere for 4+ years now, and their<br>
auto-learning also doesn't do much for canonicalization issues.<br>
(The only reason I used to recommend them was for their<br>
DB profiling, but today I restrain my recommendations)<br>
<br>
Imperva hasn't improved things I told them about 4 years<br>
ago, while instead touting marketing features that don't work.<br>
This has lead them to lose possibly their largest account<br>
to a competing WAF with a targeted vuln-remediation approach.<br>
<br>
I think WAFs have a lot of potential properly used, but<br>
you won't find a review covering using them for targeted<br>
remediation (which I believe is the correct use today).<br>
<br>
As for the rest, I am cynical (for good reason) about<br>
the marketing messages and value of comparison<br>
reports you read. They just don't hold up with real<br>
world experiences.<br>
<br>
The only answer right now is:<br>
<br>
Put them in front of your own environments and<br>
see if they work. Do they crash? Do they create<br>
latency? Can they detect real attacks? Can they<br>
block attacks without breaking your application?<br>
<br>
Have someone experienced test your application<br>
and see if the thing can actually block attack vectors<br>
it claims to detect, or protect abuses targeting real<br>
weaknesses like insufficient authorization.<br>
<br>
Anything less is armchair quarterbacking, IMO.<br>
<br>
YMMV.<br>
<br>
-- <br>
-- <br>
Arian J. Evans.<br>
Software. Security. Stuff.<br>
<br>
<br>
<br>
On Thu, Jul 3, 2008 at 6:25 AM, Ryan Barnett <rcbarnett@gmail.com>
wrote:<br>
> If you want to compare WAF products yourself, then the WASC Web Application<br>
> Firewall Evaluation Criteria (WAFEC) provides a framework -<br>
> </font></tt><a href=http://www.webappsec.org/projects/wafec/><tt><font size=2>http://www.webappsec.org/projects/wafec/</font></tt></a><tt><font size=2>.
Btw - v2.0 is in the works.<br>
><br>
> As for industry bake-offs, I believe that the Information Security
WAF<br>
> review from March 2008 is the most recent -<br>
><br>
> Comparative Product Review: Six Web Application Firewalls<br>
> </font></tt><a href="http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1303838,00.html";><tt><font size=2>http://searchSecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1303838,00.html</font></tt></a><tt><font size=2><br>
> by: Sandra Kay Miller<br>
> Issue: Mar 2008<br>
><br>
> --<br>
> Ryan C. Barnett<br>
> ModSecurity Community Manager<br>
> Breach Security: Director of Application Security<br>
> Web Application Security Consortium (WASC) Member<br>
> CIS Apache Benchmark Project Lead<br>
> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC<br>
> Author: Preventing Web Attacks with Apache<br>
><br>
><br>
> On Wed, Jul 2, 2008 at 11:39 PM, Ray Foo <gunblad3@gmail.com>
wrote:<br>
>><br>
>> Hi guys,<br>
>><br>
>> Does anyone know where I can find comparisons of WAFs? I've
been Googling<br>
>> around for some time already, but somehow have not been able to
find such<br>
>> information.<br>
>><br>
>> Any help would be appreciated, thanks in advance!<br>
>><br>
>> Regards,<br>
>> Ray<br>
<br>
----------------------------------------------------------------------------<br>
Join us on IRC: irc.freenode.net #webappsec<br>
<br>
Have a question? Search The Web Security Mailing List Archives: <br>
</font></tt><a href=http://www.webappsec.org/lists/websecurity/archive/><tt><font size=2>http://www.webappsec.org/lists/websecurity/archive/</font></tt></a><tt><font size=2><br>
<br>
Subscribe via RSS: <br>
</font></tt><a href=http://www.webappsec.org/rss/websecurity.rss><tt><font size=2>http://www.webappsec.org/rss/websecurity.rss</font></tt></a><tt><font size=2>
[RSS Feed]<br>
<br>
Join WASC on LinkedIn<br>
</font></tt><a href=http://www.linkedin.com/e/gis/83336/4B20E4374DBA><tt><font size=2>http://www.linkedin.com/e/gis/83336/4B20E4374DBA</font></tt></a><tt><font size=2><br>
<br>
</font></tt>
<br>
--=_alternative 00660AFDC225747B_=--
Brought to you by http://www.webappsec.org
Search this site
|