Page 1
Copyright © 2004 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
http://www.owasp.org
Web Application Firewalls:
Panel Discussion
Sebastien Deleersnyder
CISSP
Feb, 2006
[email protected]
Page 2
OWASP 2
Agenda
<Panel Introduction<WAF Primer<Panel Discussion
Page 3
OWASP 3
Agenda
<Panel Introduction<WAF Primer <Panel Discussion
Page 4
OWASP 4
Panel Introduction
<Philippe Bogaerts, BeeWare <Jaak Cuppens, F5 Networks <Tim Groenwals, Agfa Gevaert <Lieven Desmet, K.U.Leuven<David Van der Linden, ING
Page 5
OWASP 5
Agenda
<Introduction<WAF Primer<Panel Discussion
Page 6
OWASP 6
Network Firewalls Do Not Work
Firewall
Port 80 (443)
HTTP(S) Traffic
WebClient
WebServer
Application
Application
DatabaseServer
Page 7
OWASP 7
Enter Web Application Firewall Era
<HW/SW that mitigates web application vulnerabilities:4Invalidated Input4Parameter tampering4Injection Flaws4…
Page 8
OWASP 8
Web Application Firewalls
<They understand HTTP/HTML very well<They work after traffic is decrypted, or can
otherwise terminate SSL<Prevention is possible
Page 9
OWASP 9
Topologies
<Network-based:4Protects any web server4Works with many servers at once
<Web server-based:4Closer to the application4Limited by the web server API
Page 10
OWASP 10
WAF functionality
<Rule-based:4Uses rules to look for known vulnerabilities4Or rules to look for classes of attack4Rely on rule databases
<Anomaly-based:4Attempts to figure out what normal operation means
Page 11
OWASP 11
WAF Protection Strategies
<Negative security model:4Deny what might be dangerous.4Do you always know what is dangerous?
<Positive security model:4Allow what is known to be safe.4Positive security model is better.
Page 12
OWASP 12
Vendors
<MOD-Security<Beeware IntelliWall<Citrix NetScaler
Application Firewall (Teros)
<DenyAll rWeb<F5 TrafficShield
(Magnifire)< Imperva SecureSphere<Netcontinuum<Breach BreachGate
WebDefend<…
<eEye SecureIIS<Microsoft URLScan
WAF?<CheckPoint Application
Intelligence?<MS ISA Server?
Dead:<Kavado InterDo<Watchfire AppShield
(Sanctum)<Ubizen DMZShield
Page 13
OWASP 13
Agenda
<Introduction<WAF Primer<Panel Discussion
Page 14
OWASP 14
How mature are WAFs?
Page 15
OWASP 15
Panel Discussion
<What do WAFs protect you from? What not?
<Where do you position WAFs in your architecture?
<What WAF functionality do you really need?
<How to reduce TCO?<Who administrates a WAF within the
organisation?