Firewall Wizards mailing list archives
Re: XML firewalls (WAF)
From: "Paul Melson" <pmelson () gmail com>
Date: Tue, 12 May 2009 13:26:08 -0400
After a reply to a previous post I was clued in on XML vulnerabilities with web applications. Off I went to do more reading when I discovered WAF. >From what I read, the type of protection afforded by a WAF will address some portion of the XML vulnerabilities for both internal as well as externally facing web applications. Now I'm left wondering which web based applications actually use XML or other mechanisms (SOAP) that are at risk. I have a big MS SharePoint
implementation that I'm particularly concerned about.
Is there a way short of calling the vendors to see if they present the risk that WAF's allegedly help protect against?
There's a great paper and slide deck on selecting a WAF for your application at webappsec.org: http://www.webappsec.org/projects/wafec/ If I were looking for a way to protect SOAP services, I would start by implementing WS-Security for mutual authentication. If I were going to serve a large B2B partner count, or my services were going to be part of Internet-facing web applications, I would look at implementing a positive security model WAF that could parse XML. SOAP is easy enough to do with a positive model because it should be small, similarly formatted requests and responses using known tags and input formats. That is, the rules your WAF will need to enforce are already part of the service's design. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- XML firewalls (WAF) Chris Hughes (May 08)
- Message not available
- Re: XML firewalls (WAF) Paul Melson (May 12)
- Message not available
- Re: XML firewalls (WAF) david (May 17)
- <Possible follow-ups>
- Re: XML firewalls (WAF) Chris Hughes (May 20)