没有合适的资源?快使用搜索试试~ 我知道了~
WAF评估标准-v1.0.pdf
4星 · 超过85%的资源 需积分: 10 14 下载量 32 浏览量
2010-05-15
00:52:30
上传
评论
收藏 100KB PDF 举报
温馨提示
试读
22页
英文版的Web应用防火墙的评估标准1.0,对于开发WAF有很好的指导作用。
资源推荐
资源详情
资源评论
Web Application Firewall Evaluation
Criteria
Version 1.0 (January 16, 2006)
Copyright © 2005,2006 Web Application Security Consortium (http://www.webappsec.org)
Table of Contents
Introduction .............................................................................................................................2
Contributors .....................................................................................................................2
Contact ............................................................................................................................3
Categories ................................................................................................................................4
Section 1 - Deployment Architecture .................................................................................4
Section 2 - HTTP and HTML Support ................................................................................7
Section 3 - Detection Techniques .....................................................................................10
Section 4 - Protection Techniques ....................................................................................12
Section 5 - Logging ........................................................................................................13
Section 6 - Reporting ......................................................................................................15
Section 7 - Management ..................................................................................................16
Section 8 - Performance ..................................................................................................20
Section 9 - XML .............................................................................................................21
A. Licence .............................................................................................................................21
1
Introduction
Web Application Firewalls (WAF) represent a new breed of information security technology that is de-
signed to protect web sites (web applications) from attack. WAF solutions are capable of preventing at-
tacks that network firewalls and intrusion detection systems can't. They also do not require modification
of the application source code. As today's web application attacks expand and their relative level of soph-
istication increases, it is vitally important to develop a standardised criteria for product evaluation. How
else can we accurately compare or measure the performance of a particular solution?
The goal of this project is to develop a set of web application firewall evaluation criteria; a testing meth-
odology that can be used by any reasonably skilled technician to independently assess the quality of a
WAF solution. However, our aim is not to document the features that must be supported in order for a
product to be called a web application firewall. Web application firewalls are simply too complex to be
treated like this.
To conclude: the purpose of this document to draw one's attention to the features that are of potential im-
portance to a given project. This comprehensive list should be used as basis to form a much shorter list of
features that are required for the project. The shorter list should then be used to evaluate multiple web ap-
plication firewall products.
Current categories are as follows:
1. Deployment Architecture
2. HTTP Support
3. Detection Techniques
4. Protection Techniques
5. Logging
6. Reporting
7. Management
8. Performance
9. XML
We expect to cover the following categories in the subsequent releases:
• Compliance, certifications, and interoperability.
• Increase coverage of performance issues (especially on the network level).
• Increase coverage of the XML-related functionality.
Contributors
This document is a result of team effort. The following people have contributed their time and expertise
to the project:
• Robert Auger (SPI Dynamics)
• Ryan C. Barnett (EDS)
Web Application Firewall Evaluation Criteria
2
• Charlie Cano (F5)
• Anton Chuvakin (netForensics)
• Matthieu Estrade (Bee Ware)
• Sagar Golla (Secureprise)
• Jeremiah Grossman (WhiteHat Security)
• Achim Hoffmann (Individual)
• Amit Klein (Individual)
• Mark Kraynak (Imperva)
• Vidyaranya Maddi (Cisco Systems)
• Ofer Maor (Hacktics)
• Cyrill Osterwalder (Seclutions AG)
• Sylvain Maret (e-Xpert Solutions)
• Gunnar Peterson (Arctec Group)
• Pradeep Pillai (Cisco Systems)
• Kurt R. Roemer (NetContinuum)
• Kenneth Salchow (F5)
• Rafael San Miguel (daVinci Consulting)
• Greg Smith (Citrix Systems)
• David Movshovitz (F5)
• Ivan Ristic (Thinking Stone) [Project Leader]
• Ory Segal (Watchfire)
• Ofer Shezaf (Breach Security)
• Andrew Stern (F5)
• Bob Walder (NSS Group)
Contact
Participation in the Web Application Firewall Evaluation Criteria project is open to all. If you wish to
comment on the evaluation criteria or join the team mailing list please contact Ivan Ristic via email
(<ivanr@webkreator.com>).
Web Application Firewall Evaluation Criteria
3
Categories
Section 1 - Deployment Architecture
This section highlights the questions key to determining the feasibility of web application firewall deploy-
ment in a given environment.
1.1 Modes of Operation
Can the device be operated in both passive and active (inline) mode?
Describe which of the following active modes of operation apply to the WAF:
1. Bridge. Can be installed as a transparent bridge. Can it be configured to fail open?
2. Router. Network must be reconfigured to direct traffic through the WAF.
3. Reverse Proxy. Traffic is re-directed to flow through the WAF by making changes to DNS con-
figuration or by traffic redirection on the network level.
4. Embedded. WAF is installed as a web server plug-in. Which web servers are supported? Ex-
plain the level of integration with the web server. Some embedded web application firewalls
may only tap into the communication channel and do everything themselves. Others may rely
on the web server to do as much of the work as possible. (Both approaches have their advant-
ages and disadvantages.)
1.2 SSL
SSL is often used to protect traffic coming from and going to web applications. While this type of protec-
tion achieves the goal of data protection, it hides the data from the protection systems (e.g. intrusion de-
tection systems, web application firewalls) at the same time. Since SSL is in widespread use - in fact, se-
cure deployments require it - if a WAF cannot get to the traffic then it will be unable to perform its func-
tion.
Describe how the WAF can be deployed to access the protected data:
1. Terminates SSL. The network needs to be re-configured to move the SSL operations to the
WAF itself. WAF decrypts the encrypted traffic to get access to the HTTP data. The commu-
nication between the WAF and the web server can be in plain-text, or SSL-encrypted.
2. Passively decrypts SSL. Configured with a copy of the web server's SSL private key WAF de-
crypts the SSL traffic. The original data stream travels unaffected to the web servers, where it
is separately decrypted and processed.
3. Not Applicable. Working embedded in a web server, a WAF can be positioned to work just
after the SSL data is decrypted into plain-text.
Client certificates criteria:
1. Are client certificates supported in passive mode?
2. Are client certificates supported in active mode?
Web Application Firewall Evaluation Criteria
4
3. In termination mode, can the content from client certificates be sent to the application using
some alternative transport method (e.g. request headers).
Other SSL criteria:
1. In termination mode, can the backend traffic (i.e. the traffic from the WAF to the web server)
be encrypted via SSL?
2. Does the WAF support client certificates for backend communication?
3. Are all major cipher suites supported by the SSL implementation. Which ones?
4. Can the WAF retrieve SSL keys from an external key storage facility (e.g. network-based
Hardware Security Module)?
5. Is the SSL implementation FIPS 140-2 certified? Which FIPS levels are supported (level II
and/or III)?
6. Is there support for hardware-based SSL acceleration? If there is, are the SSL certificates se-
curely stored in the hardware?
1.3 Traffic Blocking
If the WAF is capable of blocking offending traffic, describe the nature of the blocking functionality:
1. Connection Intermediation. Traffic is intercepted and network protocol connections are termin-
ated on the WAF. Attacks are blocked by not forwarding the blocked requests to the destina-
tion.
2. Connection Interruption. Traffic is inspected, but not terminated by the WAF. Attacks are
blocked by stopping the connection to the destination. This can be either before any packets ar-
rive at the destination (e.g. a single-packet attack), or after a partial connection has been buf-
fered, but not completed, on the destination (e.g. in the case of segmented packets).
3. Connection Reset. Traffic is inspected by the WAF either via active, passive or embedded in-
spection mechanism. Attacks are blocked by resetting the relevant network (TCP) connections.
Connection reset is often used in conjunction with other blocking mechanisms.
4. Blocking via third-party device. Traffic is inspected by the WAF. Attacks are blocked by noti-
fying other devices (e.g. router or network firewall) to block a connection.
Describe the scope of blocking capabilities:
1. Blocks the HTTP request.
2. Blocks the connection.
3. Blocks the IP address.
4. Blocks the application session.
5. Blocks the application user.
When blocking is taking place on the HTTP level, can the WAF be configured to present the user with a
friendly, meaningful, message? Can a unique transaction ID be presented to the user (see Section 5.1)?
For a WAF that supports blocking, is it possible to turn blocking off (completely, or for certain types of
requests only - determined dynamically for every request)?
Web Application Firewall Evaluation Criteria
5
剩余21页未读,继续阅读
资源评论
- iamapigchenji2012-06-28可以作为参考文档
一枫
- 粉丝: 114
- 资源: 8
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功