We’ll try to cover all of the issues we can during this week-long WAF thread. Thanks for bringing up some important issues. It seems to be that WAF ideas are just “all over the place”, lacking in any consolidating binding force, or any consistency to hold onto.

I think that network-based IPS was meant to act as a way to “virtual patch” a handful of specific exploits that do not yet have reliable and/or installed patches. What network IPS really does instead is not really a “patch”, but just another blacklist for exploits in clear format, with clear text. Did you know that there are potentially 70 or more known evasion methods for any given DCOM or similar exploit?

For host-based IPS, it depends on how the system works — whether NOEXEC, ASLR, or mandatory/rule-based access control (or even a simple closed-DAC). In the last case of authorization, business logic flaws apply more than in the other areas (I don’t see how they apply at all, unless you’re talking about evasion or similar). I guess don’t really understand the question.

If you’re talking about behavioral analysis or anomaly detection, I don’t feel that I have the exposure or experience with such products or theory to make a qualified statement.

I’ve never heard any WAF enthusiast claim WAFs solve business logic problems

Meet Jeremiah Grossman, VA+WAF enthusiast who claims that business logic problems can be solved by WAF. It’s good to see that you WAF enthusiasts collaborate so well!

If the case of “one hand doesn’t know what the other hand is doing”, this is another clear indicator that we should wait on WAF technology.

As for your claim about WAFEC: I started WAFEC specifically to help people understand what WAFs can and cannot do. If you want to do the same then please send me some constructive comments, and they are likely to find their way into a future version.

Music for kids your age.

You’re right. I was making assumptions and being overly-defensive. We’ll make it up in the next posts by having Marcin provide links to download the new Girl Talk album for some good tunes listening during our little war here. *lighters*

Not everyone is out to get you, and a good point delivered in an ugly way is not going to change anyone’s opinion, so that behavior is lose-lose.

http://www.owasp.org/images/9/9d/OWASP-AppSecEU08-Madou.pdf
http://www.blackhat.com/presentations/bh-europe-07/Kureha/Whitepaper/bh-eu-07-chess-kureha-WP.pdf

This is developing into a dogfight without need. I like this blog and I started to comment because I felt like I could contribute with a point or two. If that is not welcome, then please delete my comments.

If you truely believe that this whole WAF thing is all crap and that it is easier to perfect the sourcecode to holiness, then that is fair with me. I don’t buy it, though.

But who am I to have an opinion here? I am only a fool running a knitting online forum for grandma and we try to protect her from the spam by her sister Tilly. Never heard about productive environments. I mean we never plan. We just install stuff and pray it works.

And as for these studies: Do you have more details like names and links? Sorry, if they are well known to everybody apart from me.