WAF评估标准-v1.0.pdf资源-CSDN文库

应用防火墙

4星 · 超过85%的资源需积分: 10 32 浏览量 2010-05-15 00:52:30 上传评论收藏 100KB PDF 举报

资源推荐

资源详情

资源评论

Web Application Firewall Evaluation

Criteria

Version 1.0 (January 16, 2006)

Table of Contents

Introduction .............................................................................................................................2

Contributors .....................................................................................................................2

Contact ............................................................................................................................3

Categories ................................................................................................................................4

Section 1 - Deployment Architecture .................................................................................4

Section 2 - HTTP and HTML Support ................................................................................7

Section 3 - Detection Techniques .....................................................................................10

Section 4 - Protection Techniques ....................................................................................12

Section 5 - Logging ........................................................................................................13

Section 6 - Reporting ......................................................................................................15

Section 7 - Management ..................................................................................................16

Section 8 - Performance ..................................................................................................20

Section 9 - XML .............................................................................................................21

A. Licence .............................................................................................................................21

Introduction

Web Application Firewalls (WAF) represent a new breed of information security technology that is de-

signed to protect web sites (web applications) from attack. WAF solutions are capable of preventing at-

tacks that network firewalls and intrusion detection systems can't. They also do not require modification

of the application source code. As today's web application attacks expand and their relative level of soph-

istication increases, it is vitally important to develop a standardised criteria for product evaluation. How

else can we accurately compare or measure the performance of a particular solution?

The goal of this project is to develop a set of web application firewall evaluation criteria; a testing meth-

odology that can be used by any reasonably skilled technician to independently assess the quality of a

WAF solution. However, our aim is not to document the features that must be supported in order for a

product to be called a web application firewall. Web application firewalls are simply too complex to be

treated like this.

To conclude: the purpose of this document to draw one's attention to the features that are of potential im-

portance to a given project. This comprehensive list should be used as basis to form a much shorter list of

features that are required for the project. The shorter list should then be used to evaluate multiple web ap-

plication firewall products.

Current categories are as follows:

1. Deployment Architecture

2. HTTP Support

3. Detection Techniques

4. Protection Techniques

5. Logging

6. Reporting

7. Management

8. Performance

9. XML

We expect to cover the following categories in the subsequent releases:

• Compliance, certifications, and interoperability.

• Increase coverage of performance issues (especially on the network level).

• Increase coverage of the XML-related functionality.

Contributors

This document is a result of team effort. The following people have contributed their time and expertise

to the project:

• Robert Auger (SPI Dynamics)

• Ryan C. Barnett (EDS)

Web Application Firewall Evaluation Criteria

Categories

Section 1 - Deployment Architecture

This section highlights the questions key to determining the feasibility of web application firewall deploy-

ment in a given environment.

1.1 Modes of Operation

Can the device be operated in both passive and active (inline) mode?

Describe which of the following active modes of operation apply to the WAF:

1. Bridge. Can be installed as a transparent bridge. Can it be configured to fail open?

2. Router. Network must be reconfigured to direct traffic through the WAF.

3. Reverse Proxy. Traffic is re-directed to flow through the WAF by making changes to DNS con-

figuration or by traffic redirection on the network level.

4. Embedded. WAF is installed as a web server plug-in. Which web servers are supported? Ex-

plain the level of integration with the web server. Some embedded web application firewalls

may only tap into the communication channel and do everything themselves. Others may rely

on the web server to do as much of the work as possible. (Both approaches have their advant-

ages and disadvantages.)

1.2 SSL

SSL is often used to protect traffic coming from and going to web applications. While this type of protec-

tion achieves the goal of data protection, it hides the data from the protection systems (e.g. intrusion de-

tection systems, web application firewalls) at the same time. Since SSL is in widespread use - in fact, se-

cure deployments require it - if a WAF cannot get to the traffic then it will be unable to perform its func-

tion.

Describe how the WAF can be deployed to access the protected data:

1. Terminates SSL. The network needs to be re-configured to move the SSL operations to the

WAF itself. WAF decrypts the encrypted traffic to get access to the HTTP data. The commu-

nication between the WAF and the web server can be in plain-text, or SSL-encrypted.

2. Passively decrypts SSL. Configured with a copy of the web server's SSL private key WAF de-

crypts the SSL traffic. The original data stream travels unaffected to the web servers, where it

is separately decrypted and processed.

3. Not Applicable. Working embedded in a web server, a WAF can be positioned to work just

after the SSL data is decrypted into plain-text.

Client certificates criteria:

1. Are client certificates supported in passive mode?

2. Are client certificates supported in active mode?

Web Application Firewall Evaluation Criteria

3. In termination mode, can the content from client certificates be sent to the application using

some alternative transport method (e.g. request headers).

Other SSL criteria:

1. In termination mode, can the backend traffic (i.e. the traffic from the WAF to the web server)

be encrypted via SSL?

2. Does the WAF support client certificates for backend communication?

3. Are all major cipher suites supported by the SSL implementation. Which ones?

4. Can the WAF retrieve SSL keys from an external key storage facility (e.g. network-based

Hardware Security Module)?

5. Is the SSL implementation FIPS 140-2 certified? Which FIPS levels are supported (level II

and/or III)?

6. Is there support for hardware-based SSL acceleration? If there is, are the SSL certificates se-

curely stored in the hardware?

1.3 Traffic Blocking

If the WAF is capable of blocking offending traffic, describe the nature of the blocking functionality:

1. Connection Intermediation. Traffic is intercepted and network protocol connections are termin-

ated on the WAF. Attacks are blocked by not forwarding the blocked requests to the destina-

tion.

2. Connection Interruption. Traffic is inspected, but not terminated by the WAF. Attacks are

blocked by stopping the connection to the destination. This can be either before any packets ar-

rive at the destination (e.g. a single-packet attack), or after a partial connection has been buf-

fered, but not completed, on the destination (e.g. in the case of segmented packets).

3. Connection Reset. Traffic is inspected by the WAF either via active, passive or embedded in-

spection mechanism. Attacks are blocked by resetting the relevant network (TCP) connections.

Connection reset is often used in conjunction with other blocking mechanisms.

4. Blocking via third-party device. Traffic is inspected by the WAF. Attacks are blocked by noti-

fying other devices (e.g. router or network firewall) to block a connection.

Describe the scope of blocking capabilities:

1. Blocks the HTTP request.

2. Blocks the connection.

3. Blocks the IP address.

4. Blocks the application session.

5. Blocks the application user.

When blocking is taking place on the HTTP level, can the WAF be configured to present the user with a

friendly, meaningful, message? Can a unique transaction ID be presented to the user (see Section 5.1)?

For a WAF that supports blocking, is it possible to turn blocking off (completely, or for certain types of

requests only - determined dynamically for every request)?

Web Application Firewall Evaluation Criteria

剩余21页未读，继续阅读

评论收藏

内容反馈

iamapigchenji

2012-06-28

可以作为参考文档

一枫

粉丝: 114
资源: 8

WAF评估标准-v1.0.pdf

2018信息安全管理与评估正式赛卷与评分标准

WAF攻防实战笔记v1.0--Bypass.pdf

01-AWS-IAM-VPC-CloudTrail操作指南-v1.0.pdf

BlackHat-DC-09-Barnett-WAF-Patching-Challenge-Whitepaper.pdf

x-waf-admin0.1-linux-amd64.tar.gz

网御WAF快速安装指南-WAG3078.pdf

PyPI 官网下载 | ikala-cloud.aws-waf-solution-2.0.5.tar.gz

PyPI 官网下载 | aliyun-python-sdk-waf-openapi-1.0.0.tar.gz

Python库 | mypy-boto3-waf-regional-1.10.39.5.tar.gz

Python库 | mypy-boto3-waf-regional-1.14.55.2.tar.gz

PyPI 官网下载 | mypy-boto3-waf-regional-1.18.16.tar.gz

PyPI 官网下载 | mypy-boto3-waf-regional-1.16.53.0.tar.gz

PyPI 官网下载 | mypy-boto3-waf-regional-1.12.28.1.tar.gz

PyPI 官网下载 | mypy-boto3-waf-regional-1.14.57.0.tar.gz

PyPI 官网下载 | mypy-boto3-waf-regional-1.17.109.tar.gz

PyPI 官网下载 | mypy-boto3-waf-regional-1.17.100.tar.gz

PyPI 官网下载 | mypy-boto3-waf-regional-1.16.28.0.tar.gz

PyPI 官网下载 | mypy-boto3-waf-regional-1.16.12.0.tar.gz

PyPI 官网下载 | mypy-boto3-waf-regional-1.10.47.0.tar.gz

天清WAG快速安装指南-WAF7080.pdf

微信小程序源码-合集6.rar

微信小程序源码-合集5.rar

微信小程序源码-合集4.rar

微信小程序源码-合集3.rar

微信小程序源码-合集2.rar

浏览器插件 Auto Refresh Plus 7.4.4 ctx

品优购项目 素材及代码

学生宿舍管理系统源码文件

全能电子地图下载器1.9.5完善版.zip

最新资源

品优购项目素材及代码