Re: XML firewalls (WAF)

["Paul Melson" <pmelson () gmail com>]

> After a reply to a previous post I was clued in on XML vulnerabilities 
> with web applications.  Off I went to do more reading when I 
> discovered WAF.  >From what I read, the type of protection afforded by 
> a WAF will address some portion of the XML vulnerabilities for both 
> internal as well as externally facing web applications.  Now I'm left 
> wondering which web based applications actually use XML or other 
> mechanisms (SOAP) that are at risk.  I have a big MS SharePoint
implementation that I'm particularly concerned about.
> Is there a way short of calling the vendors to see if they present the 
> risk that WAF's allegedly help protect against?

There's a great paper and slide deck on selecting a WAF for your application
at webappsec.org:

http://www.webappsec.org/projects/wafec/

If I were looking for a way to protect SOAP services, I would start by
implementing WS-Security for mutual authentication.  If I were going to
serve a large B2B partner count, or my services were going to be part of
Internet-facing web applications, I would look at implementing a positive
security model WAF that could parse XML.  SOAP is easy enough to do with a
positive model because it should be small, similarly formatted requests and
responses using known tags and input formats.  That is, the rules your WAF
will need to enforce are already part of the service's design.

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards