Hi Andrew,
On 22 Jun 2005 at 16:17, Andrew van der Stock wrote:
Amit,
I feel that the WAF in this case would increase the likelihood of a
HTTP smuggling attack as it participates in the flow, and more than
likely interprets HTTP requests differently than pretty much
everything else out there.
Yes, that is possible (as I hinted in my message), if the WAF is between the
devices, or if
the WAF itself is the object of the attack.
If they RST'd dodgy connections and left
alone all others, then maybe these devices serve a purpose, but if
it's a re-writing proxy, it has to affect the flow.
I agree.
<rant = on>
I have been struggling with the point of "security" HTTP proxies
recently in several of the projects I've been involved with. The
projects were infected by sales people who say "Buy this widget, and
all your security problems are over". Nothing could be further from
the truth. I recently lost a battle to remove a virus scanning web
proxy on a private leased line which transmitted XML provided by MQ
Series. The impetus to buy useless things to solve non-existent
problems is troubling.
In my view, unless a proxy understands the underlying data and pages,
or XML DTDs if it is looking at SOAP requests, I feel the additional
burden of the proxies is rarely worthwhile and just adds one more
component which may be abused.
</rant>
Oh, I wouldn't throw the baby out with the bath water. I think that WAFs (at
least in
theory) are basically good things. I haven't seen a perfect one yet - they all
have their
problems. But I wouldn't dismiss them as useless.
Don't get me wrong - there are certainly cases where buying and deploying WAF
is absurd,
and there are probably many cases where WAFs are sold as a solution to world
hunger, but
that shouldn't blur our technical view - of what WAFs can and can't do.
I fully agree to the second part of your rant. If a WAF can't understand HTTP,
and the
application logic, and SOAP/XML (if it's supposed to handle XML and web
services), then
obviously it's missing a core security functionality. Merely deploying a simple
(mindless)
HTTP proxy is not going to help in most situations (I believe that's what
you're saying).
Security vendors should perform strict conformance testing and make
those results available to potential customers. Something like the
old IPsec and cache bake offs or industry certification that these
devices are truly RFC compliant would be nice.
Hear! Hear! ;-)
I'll have you know that WASC (Web Application Security Consortium) works on a
project
called "Web Application Firewall Evaluation Criteria"
(http://www.webappsec.org/projects/waf_evaluation/) that aims at defining
criteria for
evaluating and comapring WAFs.
When it's complete, hopefully it would be able to address people's needs and
reduce the
hype levels in the market.
Thanks,
-Amit
