lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 25 Jan 2006 14:17:58 +0300
From: ArkanoiD <ark@...ex.net>
To: Gadi Evron <ge@...uxbox.org>
Cc: bugtraq@...urityfocus.com, firewall-wizards@...or.icsalabs.com
Subject: Re: Announcement: The Web Application Firewall Evaluation Criteria v1 Released


nuqneH,

Well, again, what we actually need is higher level inspecton toolkit
to deal with protocols working over http. That makes the whole thing useful
and we get the idea of firewall working again - now it does not.
(this applies to traditional proxy firewalls as well as to w.a.f. as reverse 
proxy etc). Once we can work with the protocol, we can define a kind of
policy on that layer.

A good thing to start with is xml-based protocols, isn't it?
Any known implementation or just work in progress? I'd like to do it
myself but i'm afraid i do not have sufficient resources for now.

I cc this to firewall-wizards mailing list, it may be of some interest
there.

On Sun, Jan 22, 2006 at 08:44:13AM +0200, Gadi Evron wrote:
> contact@...appsec.org wrote:
> >The Web Application Firewall Evaluation Criteria project is proud
> >to announce v1.0 of The Web Application Firewall Evaluation Criteria
> >(WAFEC), its first official release.
> >
> >WAFEC is a result of a collaboration between web application
> >firewall vendors and independent security professionals to create a
> >comprehensive, vendor-neutral, web application firewall evaluation
> >criteria. The resulting framework can be used to evaluate and
> >and compare web application firewalls.
> >
> >WAFEC v1.0 can be downloaded from the project home page:
> >
> >  http://www.webappsec.org/projects/wafec/
> 
> Having a good framework by which to judge these applications is very 
> cool as I had to do without quite a few times before. Thanks for 
> creating it.
> 
> It is my belief that *today's* web application firewalls are a waste of 
> money. Some people disagree and as I respect them, I will answer their 
> questions one by one.
> 
> This is pretty long, check out:
> http://blogs.securiteam.com/index.php/archives/220
> 
> And the follow-up, answering questions and good arguments: 
> http://blogs.securiteam.com/?p=237
> 
> I'd appreciate any input.
> 
> 	Gadi.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ