Wednesday, May 13, 2009

firewall-wizards Digest, Vol 37, Issue 11

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: XML firewalls (WAF) (Paul Melson)


----------------------------------------------------------------------

Message: 1
Date: Tue, 12 May 2009 13:26:08 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] XML firewalls (WAF)
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <001e01c9d326$bdbae550$3930aff0$@com>
Content-Type: text/plain; charset="us-ascii"

> After a reply to a previous post I was clued in on XML vulnerabilities
> with web applications. Off I went to do more reading when I
> discovered WAF. >From what I read, the type of protection afforded by
> a WAF will address some portion of the XML vulnerabilities for both
> internal as well as externally facing web applications. Now I'm left
> wondering which web based applications actually use XML or other
> mechanisms (SOAP) that are at risk. I have a big MS SharePoint
implementation that I'm particularly concerned about.
>
> Is there a way short of calling the vendors to see if they present the
> risk that WAF's allegedly help protect against?

There's a great paper and slide deck on selecting a WAF for your application
at webappsec.org:

http://www.webappsec.org/projects/wafec/

If I were looking for a way to protect SOAP services, I would start by
implementing WS-Security for mutual authentication. If I were going to
serve a large B2B partner count, or my services were going to be part of
Internet-facing web applications, I would look at implementing a positive
security model WAF that could parse XML. SOAP is easy enough to do with a
positive model because it should be small, similarly formatted requests and
responses using known tags and input formats. That is, the rules your WAF
will need to enforce are already part of the service's design.

PaulM


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 37, Issue 11
************************************************

at

No comments:

Post a Comment