[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] RE: [Webappsec] [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
- From: "Rafal @ IsHackingYou" <rafal@xxxxxxxxxxxxxxxx>
- Subject: Re: [WEB SECURITY] RE: [Webappsec] [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
- Date: Mon, 7 Jul 2008 23:00:38 -0500
------=_NextPart_000_011F_01C8E085.8CFF4170
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Re: [WEB SECURITY] RE: [Webappsec] [WEB SECURITY] Re: Comparisons of Web =
ApplicationFirewallsFor what it's worth, about a year ago (granted, my =
experience is now dated) I had the [dis]pleasure of doing a bake-off =
between all the major vendors (Breach, Imperva, NetContinuum, F5, =
Citrix, and some others) on a very specifically crafted review. We =
investigated usability, security-advantages, ease-of-deployment and many =
other features. While I can't share the exact matrix which I used (I =
worked for a large 2-letter company that likes to keep their information =
extremely secret) I can share my experiences and my thoughts, and why we =
went with one over the others (we chose Imperva in the end, at that =
time). If someone wants to write it up, or just simply chat on the =
subject I'm game... but again - mileage may vary since my experience is =
over a year old now...
Cheers.
__
Rafal M. Los
IT Security - Response | Mitigation | Strategy
E-mail: rafal@ishackingyou.com
Direct: +1 (404) 606-6056
- gPGP: 0xFFC63B33
- Blog: http://preachsecurity.blogspot.com
- Web: http://www.ishackingyou.com
- LinkedIn:http://www.linkedin.com/in/rmlos
From: Arshan Dabirsiaghi=20
Sent: Monday, July 07, 2008 4:24 PM
To: Achim=20
Cc: Ernest Mueller ; Martin O'Neal ; websecurity@webappsec.org=20
Subject: RE: [WEB SECURITY] RE: [Webappsec] [WEB SECURITY] Re: =
Comparisons of Web ApplicationFirewalls
Don't worry - no offense taken at all. I don't think there are many =
(any?) people out there that know many (all?) of the WAFs to that level =
of detail. =3D]
The primary reason we don't have an across-the-board comparison to =
provide that kind of information is because the customers out there who =
have performed real bakeoffs have not shared their experiences as a =
group. That's a shame, too. I'm sure if they did we could:
a) figure out how to make better WAFs
b) give better advice to our clients
Being a security consultant, I bump into WAFs here and again but have =
never had the opportunity to compare even a few side by side in a real =
environment. Jumping from one vendor booth to another does not count. =
=3D]
It seemed to me to be very silly not to have this level of support =
when I was looking at the rule creation for one of the WAFs given that I =
know for a fact PCRE is available in the framework it was written in. =
Regardless, I would hope its in the minority. Hell, it could have the =
ability to create the advanced rule, just in the interfaces I saw.
Anyway, the WAF/PCRE point was tangential to my comment, though. I =
just wanted the author of the previous message to know that you can =
effectively whitelist UTF-8 using the Unicode keywords. It's not as =
simple as [a-zA-Z0-9] but it's not that much more difficult (in that =
case, [\p{L}\p{N}] is only 1 byte longer).
Cheers,
Arshan
-------------------------------------------------------------------------=
-----
From: Achim [mailto:kirke12@securenet.de]
Sent: Mon 7/7/2008 4:59 PM
To: Arshan Dabirsiaghi
Cc: Ernest Mueller; Martin O'Neal; websecurity@webappsec.org
Subject: Re: [WEB SECURITY] RE: [Webappsec] [WEB SECURITY] Re: =
Comparisons of Web ApplicationFirewalls
On Mon, 7 Jul 2008, Arshan Dabirsiaghi wrote:
!! You should investigate standardized Unicode patterns like \p{L} and =
\p{N} which are extremely useful for doing cross-language input =
validation without getting deep into the weeds of Unicode character =
ranges [1]. You can also validate the data you're receiving against the =
locale you're receiving it from. For instance, \p{Greek} will tell you =
whether or not your letters are in the Greek character range.
!!=20
!! I can't say whether or not any WAF out there has this kind of =
capability (the few I've seen do not).
hmm, sounds like you have not seen much WAFs (no offence meant;-)
Most (all*) WAFs claim to support PCRE (I use "claim" as I didn't =
prove it),
and PCRE supports unicode properties, blocks and scripts very well.
On the other hand TCL does not support unicode properties, IIRC. So we =
can
imagine which WAF does not support such simple matches.
Conclusion: i18n or whatever character set is no reason to blame regex =
in WAFs,
I don't see a better way to handle interantional languages/characters =
than
with simple Unicode properties, scripts, blocks.
{-: Achim
------=_NextPart_000_011F_01C8E085.8CFF4170
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML dir=3Dltr><HEAD><TITLE>Re: [WEB SECURITY] RE: [Webappsec] [WEB =
SECURITY] Re: Comparisons of Web ApplicationFirewalls</TITLE>
<META http-equiv=3DContent-Type =
content=3Dtext/html;charset=3Diso-8859-1>
<META content=3D"MSHTML 6.00.6001.18063" name=3DGENERATOR></HEAD>
<BODY id=3DMailContainerBody=20
style=3D"PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-TOP: 15px"=20
bgColor=3D#ffffff leftMargin=3D0 topMargin=3D0 CanvasTabStop=3D"true"=20
name=3D"Compose message area">
<DIV><FONT face=3DArial size=3D2>For what it's worth, about a year ago =
(granted, my=20
experience is now dated) I had the [dis]pleasure of doing a bake-off =
between all=20
the major vendors (Breach, Imperva, NetContinuum, F5, Citrix, and some =
others)=20
on a very specifically crafted review. We investigated usability,=20
security-advantages, ease-of-deployment and many other features. =
While I=20
can't share the exact matrix which I used (I worked for a large 2-letter =
company=20
that likes to keep their information extremely secret) I can share my=20
experiences and my thoughts, and why we went with one over the others =
(we chose=20
Imperva in the end, at that time). If someone wants to write it =
up, or=20
just simply chat on the subject I'm game... but again - mileage may vary =
since=20
my experience is over a year old now...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Cheers.</FONT></DIV><STRONG><FONT =
face=3DTahoma=20
size=3D2>
<DIV><BR>__<BR>Rafal M. Los<BR>IT Security - Response | Mitigation |=20
Strategy</DIV>
<DIV> </DIV>
<DIV>E-mail: <A=20
href=3D"mailto:rafal@ishackingyou.com";>rafal@ishackingyou.com</A><BR>Dire=
ct: =20
+1 (404) 606-6056<BR> - gPGP: =
0xFFC63B33<BR> -=20
Blog: <A=20
href=3D"http://preachsecurity.blogspot.com";>http://preachsecurity.blogspo=
t.com</A><BR> -=20
Web: <A=20
href=3D"http://www.ishackingyou.com";>http://www.ishackingyou.com</A><BR>&=
nbsp;-=20
LinkedIn:http://www.linkedin.com/in/rmlos</FONT></STRONG></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt Tahoma">
<DIV style=3D"font-color: black"><B>From:</B> <A=20
title=3Darshan.dabirsiaghi@aspectsecurity.com=20
href=3D"mailto:arshan.dabirsiaghi@aspectsecurity.com";>Arshan =
Dabirsiaghi</A>=20
</DIV>
<DIV><B>Sent:</B> Monday, July 07, 2008 4:24 PM</DIV>
<DIV><B>To:</B> <A title=3Dkirke12@securenet.de=20
href=3D"mailto:kirke12@securenet.de";>Achim</A> </DIV>
<DIV><B>Cc:</B> <A title=3DErnest.Mueller@ni.com=20
href=3D"mailto:Ernest.Mueller@ni.com";>Ernest Mueller</A> ; <A=20
title=3Dmartin.oneal@corsaire.com =
href=3D"mailto:martin.oneal@corsaire.com";>Martin=20
O'Neal</A> ; <A title=3Dwebsecurity@webappsec.org=20
=
href=3D"mailto:websecurity@webappsec.org";>websecurity@webappsec.org</A> =
</DIV>
<DIV><B>Subject:</B> RE: [WEB SECURITY] RE: [Webappsec] [WEB SECURITY] =
Re:=20
Comparisons of Web ApplicationFirewalls</DIV></DIV>
<DIV><BR></DIV>
<DIV id=3DidOWAReplyText7732 dir=3Dltr>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Don't worry =
- no offense=20
taken at all. I don't think there are many (any?) people out there =
that know=20
many (all?) of the WAFs to that level of detail. =3D]</FONT></DIV>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2></FONT> </DIV>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>The primary =
reason we don't=20
have an across-the-board comparison to provide that kind of =
information is=20
because the customers out there who have performed real bakeoffs have =
not=20
shared their experiences as a group. That's a shame, too. I'm =
sure if=20
they did we could:</FONT></DIV>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2></FONT> </DIV>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>a) figure =
out how to make=20
better WAFs</FONT></DIV>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>b) give =
better advice to=20
our clients</FONT></DIV>
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Being a =
security=20
consultant, I bump into WAFs here and again but have never had the =
opportunity=20
to compare even a few side by side in a real environment. Jumping from =
one=20
vendor booth to another does not count. =3D]</FONT></DIV>
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV dir=3Dltr><FONT face=3DArial size=3D2>It seemed to me to be very =
silly not to=20
have this level of support when I was looking at the rule creation for =
one of=20
the WAFs given that I know for a fact PCRE is available in the =
framework it=20
was written in. Regardless, I would hope its in the minority. Hell, it =
could=20
have the ability to create the advanced rule, just in the interfaces I =
saw.</FONT></DIV>
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Anyway, the WAF/PCRE point =
was tangential=20
to my comment, though. I just wanted the author of the previous =
message to=20
know that you can effectively whitelist UTF-8 using the Unicode =
keywords. It's=20
not as simple as [a-zA-Z0-9] but it's not that much more difficult (in =
that=20
case, [\p{L}\p{N}] is only 1 byte longer).</FONT></DIV>
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Cheers,</FONT></DIV>
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Arshan</FONT></DIV>
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV dir=3Dltr><BR>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> Achim=20
[mailto:kirke12@securenet.de]<BR><B>Sent:</B> Mon 7/7/2008 4:59=20
PM<BR><B>To:</B> Arshan Dabirsiaghi<BR><B>Cc:</B> Ernest Mueller; =
Martin=20
O'Neal; websecurity@webappsec.org<BR><B>Subject:</B> Re: [WEB =
SECURITY] RE:=20
[Webappsec] [WEB SECURITY] Re: Comparisons of Web=20
ApplicationFirewalls<BR></FONT><BR></DIV></DIV>
<DIV>
<P><FONT size=3D2>On Mon, 7 Jul 2008, Arshan Dabirsiaghi =
wrote:<BR><BR>!! You=20
should investigate standardized Unicode patterns like \p{L} and \p{N} =
which=20
are extremely useful for doing cross-language input validation without =
getting=20
deep into the weeds of Unicode character ranges [1]. You can also =
validate the=20
data you're receiving against the locale you're receiving it from. For =
instance, \p{Greek} will tell you whether or not your letters are in =
the Greek=20
character range.<BR>!! <BR>!! I can't say whether or not any WAF =
out=20
there has this kind of capability (the few I've seen do =
not).<BR><BR>hmm,=20
sounds like you have not seen much WAFs (no offence meant;-)<BR>Most =
(all*)=20
WAFs claim to support PCRE (I use "claim" as I didn't prove =
it),<BR>and PCRE=20
supports unicode properties, blocks and scripts very well.<BR>On the =
other=20
hand TCL does not support unicode properties, IIRC. So we =
can<BR>imagine which=20
WAF does not support such simple matches.<BR><BR>Conclusion: i18n or =
whatever=20
character set is no reason to blame regex in WAFs,<BR>I don't see a =
better way=20
to handle interantional languages/characters than<BR>with simple =
Unicode=20
properties, scripts, blocks.<BR><BR>{-:=20
Achim<BR><BR></FONT></P></DIV></BLOCKQUOTE><!--[object_id=3D#aspectsecuri=
ty.com#]--></BODY></HTML>
------=_NextPart_000_011F_01C8E085.8CFF4170--
Brought to you by http://www.webappsec.org
Search this site
|