[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060125111758.GB26942@eltex.net>
Date: Wed, 25 Jan 2006 14:17:58 +0300
From: ArkanoiD <ark@...ex.net>
To: Gadi Evron <ge@...uxbox.org>
Cc: bugtraq@...urityfocus.com, firewall-wizards@...or.icsalabs.com
Subject: Re: Announcement: The Web Application Firewall Evaluation Criteria v1 Released
nuqneH,
Well, again, what we actually need is higher level inspecton toolkit
to deal with protocols working over http. That makes the whole thing useful
and we get the idea of firewall working again - now it does not.
(this applies to traditional proxy firewalls as well as to w.a.f. as reverse
proxy etc). Once we can work with the protocol, we can define a kind of
policy on that layer.
A good thing to start with is xml-based protocols, isn't it?
Any known implementation or just work in progress? I'd like to do it
myself but i'm afraid i do not have sufficient resources for now.
I cc this to firewall-wizards mailing list, it may be of some interest
there.
On Sun, Jan 22, 2006 at 08:44:13AM +0200, Gadi Evron wrote:
> contact@...appsec.org wrote:
> >The Web Application Firewall Evaluation Criteria project is proud
> >to announce v1.0 of The Web Application Firewall Evaluation Criteria
> >(WAFEC), its first official release.
> >
> >WAFEC is a result of a collaboration between web application
> >firewall vendors and independent security professionals to create a
> >comprehensive, vendor-neutral, web application firewall evaluation
> >criteria. The resulting framework can be used to evaluate and
> >and compare web application firewalls.
> >
> >WAFEC v1.0 can be downloaded from the project home page:
> >
> > http://www.webappsec.org/projects/wafec/
>
> Having a good framework by which to judge these applications is very
> cool as I had to do without quite a few times before. Thanks for
> creating it.
>
> It is my belief that *today's* web application firewalls are a waste of
> money. Some people disagree and as I respect them, I will answer their
> questions one by one.
>
> This is pretty long, check out:
> http://blogs.securiteam.com/index.php/archives/220
>
> And the follow-up, answering questions and good arguments:
> http://blogs.securiteam.com/?p=237
>
> I'd appreciate any input.
>
> Gadi.
Powered by blists - more mailing lists