- Protecting yourself from a new online scam
- Diary of a deliberately spammed housewife
- Silly Internet traditions: A concise history
- How to avoid laptop loss at the airport
- Top 10 worst uses for Windows
News | Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Web application firewall is a simple term, but understanding what it means is proving so difficult for customers that an industry consortium is publishing advice on how to make a choice among the many devices that fall into this category.
On Monday, a 20-page document called Web Application Firewall Evaluation Criteria is being published by the Web Application Security Consortium, a group formed a year ago from vendors, consultants and end users. The document will be available here.
Broadly, Web application firewalls examine HTTP and HTTPS traffic at the application layer, looking for attacks masquerading as legitimate application traffic. They defend against attempts to tap sensitive information stored on Web application servers, such as credit card and social security numbers as well as proprietary corporate information.
There are such a wealth and variety of methods for accomplishing this goal that it is difficult for potential customers to figure out what product best suits their needs, says Mark Kraynak, director of product marketing for WAF vendor Imperva who served on the Web Application Security Consortium committee that wrote the document. Other vendors include Citrix, F5 Networks, NetContinuum and Protegrity among others.
"There's too much functionality and only one name for the products," says Kraynak. "A lot of our customers don't know what criteria they should be evaluating. There's confusion."
No single WAF device is appropriate for all networks, says Ivan Ristic, who headed the evaluation effort for the consortium. He also runs Thinking Stone, a Web application security consulting firm. "You need to look at your security requirements and business goals. Create a short list of features you need, and use that to sort products."
For example, a business that needs to document all HTTP transactions for regulatory purposes may need a WAF with very few features, Ristic says. Or a business with a single Web server might need no separate WAF, but only application firewall software that can run on the server itself, he says.
The range of features is broad. A WAF can deal with SSL traffic, for example, by terminating it, examining it and passing it on or capturing it and decrypting it but not terminating sessions. Similarly, if the WAF needs to block traffic, it can terminate network-protocol connections and not pass on malicious traffic or it can sever suspicious connections altogether.
The Diane's of the industry should be acknowledged for their understanding of why products fail when...- Anon
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Comment