Comments on: Decreasing Security for Perceived Security — all in the name of compliance http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/ top secret/secure computing information Thu, 01 Apr 2010 15:34:41 -0500 http://wordpress.org/?v=2.8.6 hourly 1 By: Ninja CISO http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/comment-page-1/#comment-19201 Ninja CISO Thu, 25 Dec 2008 22:31:22 +0000 http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/#comment-19201 I love this! It reminds me of complying with the DoD's PPS by using a less secure but authorized protocol. I love this! It reminds me of complying with the DoD’s PPS by using a less secure but authorized protocol.

]]> By: Marcin http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/comment-page-1/#comment-18927 Marcin Sat, 20 Dec 2008 23:03:02 +0000 http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/#comment-18927 Rafal, I thought we talked about this back in September. So yah, it is ironic, but instead of just theory, I have practical experience not only working with WAFs but implementing them from the ground up, and also working with developers to get code fixed. And yes, this is a "from scratch" WAF implementation. It is not easy, and for anyone who thinks they can just "throw a WAF in front of an app" is in for a heart-wrenching world of pain. I will be on an upcoming OWASP Podcast with Jim Manico, in which I'll talk about a whole bunch of interesting things I learned from the project. Very worthwhile experience, even though I dreaded everyday WAF issues. Rafal, I thought we talked about this back in September. So yah, it is ironic, but instead of just theory, I have practical experience not only working with WAFs but implementing them from the ground up, and also working with developers to get code fixed.

And yes, this is a “from scratch” WAF implementation. It is not easy, and for anyone who thinks they can just “throw a WAF in front of an app” is in for a heart-wrenching world of pain.

I will be on an upcoming OWASP Podcast with Jim Manico, in which I’ll talk about a whole bunch of interesting things I learned from the project. Very worthwhile experience, even though I dreaded everyday WAF issues.

]]> By: Rafal Los http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/comment-page-1/#comment-18882 Rafal Los Sat, 20 Dec 2008 06:10:20 +0000 http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/#comment-18882 @Marcin: 2 quick comments... both of which you're probably expecting: 1) This has to be the ultimate irony: You on a PCI remediation project, implementing WAF... maybe Karma? 2) If I understand you right, this is exactly what you get for trying to implement a WAF from scratch :) I'm amused- hey, Merry Christmas (Wesolych Swiat) @Marcin: 2 quick comments… both of which you’re probably expecting:
1) This has to be the ultimate irony: You on a PCI remediation project, implementing WAF… maybe Karma?
2) If I understand you right, this is exactly what you get for trying to implement a WAF from scratch :)

I’m amused- hey, Merry Christmas (Wesolych Swiat)

]]> By: jodi http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/comment-page-1/#comment-18422 jodi Fri, 12 Dec 2008 20:09:58 +0000 http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/#comment-18422 DH is susceptible to MITM, from the same wikipedia entry: In the original description, the Diffie-Hellman exchange by itself does not provide authentication of the communicating parties and is thus vulnerable to a man-in-the-middle attack. A person in the middle may establish two distinct Diffie-Hellman key exchanges, one with Alice and the other with Bob, effectively masquerading as Alice to Bob, and vice versa, allowing the attacker to decrypt (and read or store) then re-encrypt the messages passed between them. DH is susceptible to MITM, from the same wikipedia entry:

In the original description, the Diffie-Hellman exchange by itself does not provide authentication of the communicating parties and is thus vulnerable to a man-in-the-middle attack. A person in the middle may establish two distinct Diffie-Hellman key exchanges, one with Alice and the other with Bob, effectively masquerading as Alice to Bob, and vice versa, allowing the attacker to decrypt (and read or store) then re-encrypt the messages passed between them.

]]> By: LonerVamp http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/comment-page-1/#comment-17447 LonerVamp Sat, 22 Nov 2008 00:05:03 +0000 http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/#comment-17447 Fair enough, and it really depends what devices you have at your disposal. For instance mine terminates SSL, does LB, and has a WAF as well, so I can terminate SSl and reinit another backend SSL session while still seeing inside the traffic. But your version has merit, of course. And I might still be making the poor assumption that I am using similar strong ciphers, which I truly doubt I am. Maybe with stronger ones I can't terminate it? I don't know. FYI, I have several Citrix Netscalers at my disposal. Fair enough, and it really depends what devices you have at your disposal. For instance mine terminates SSL, does LB, and has a WAF as well, so I can terminate SSl and reinit another backend SSL session while still seeing inside the traffic.

But your version has merit, of course.

And I might still be making the poor assumption that I am using similar strong ciphers, which I truly doubt I am. Maybe with stronger ones I can’t terminate it? I don’t know.

FYI, I have several Citrix Netscalers at my disposal.

]]> By: Marcin http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/comment-page-1/#comment-17420 Marcin Fri, 21 Nov 2008 14:59:49 +0000 http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/#comment-17420 We've strategically positioned the WAF to listen on traffic directed to the load balancers. Reason being, is that then, we're only looking at about 10 IP addresses, versus 100 IP addresses of all the backend servers. Also, all of our SSL sessions terminate at each individual backend server -- we do not terminate at the load balancer. If we did, there would be that portion of unencrypted network traffic which we did not want to allow for. We’ve strategically positioned the WAF to listen on traffic directed to the load balancers. Reason being, is that then, we’re only looking at about 10 IP addresses, versus 100 IP addresses of all the backend servers. Also, all of our SSL sessions terminate at each individual backend server — we do not terminate at the load balancer. If we did, there would be that portion of unencrypted network traffic which we did not want to allow for.

]]> By: LonerVamp http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/comment-page-1/#comment-17418 LonerVamp Fri, 21 Nov 2008 14:36:28 +0000 http://www.tssci-security.com/archives/2008/11/20/decreasing-security-for-perceived-security-all-in-the-name-of-compliance/#comment-17418 Would it help to have a WAF that doubles as SSL offload? :) Would it help to have a WAF that doubles as SSL offload? :)

]]>