FAQ: How is WAF Implemented in Forum Sentry?


Forum Sentry WAF policies can be used in conjunction with other Sentry policies to help prevent against the OWASP Top 10 vulnerabilities.

Forum Sentry is an API Security Gateway, not a Web Application Firewall (WAF).   The WAF component features of Forum Sentry provide a subset of the capabilities inherent to a stand-alone WAF product.  It is important to note that API Security Gateways and WAFs are not replacements for each other, but rather complimentary security technology components that should both be deployed at  the security tier (refer to section "WAF vs API Security Gateway" below for more details).


How WAF Policies are Implemented in Forum Sentry

Best practice is to use WAF policies only on specific policies that may have a vulnerability (i.e. the remote server is issuing a cookie, there is a requirement to check parameter values, the service utilizes a SQL database directly, etc..).

There are no default WAF policies. WAF policies are built independently and then associated to the Content Policies on the Settings Tab. WAF policies can filter URLs and headers via Rules, as well as ensure remote servers are setting secure cookies.

WAF Rules

WAF Rules reference Value Types for various criteria. There are set of predefined Value Types that map to the OWASP top 10 vulnerabilities that ship with Sentry. The predefined set of Value Types are completely customizable and new Value Types can be built. When building a WAF Rule you specify the following:

Path: The path that this WAF rule will be applicable for

Parameter Type: The content to scan (i.e. http header, query parameter, etc.

Parameter Name: The name of the header, parameter, etc.. to scan

Value Type: The Value Type to use as criteria

Required: Whether the Parameter Type specified is required to exist

WAF Session Security 

The WAF session security settings apply to cookies set by the back-end server that are coming back through Sentry. These options are detailed below:

Track session cookies - Signs the specified back-end server session cookie so that a client cannot tamper with the cookie, generate a different cookie, or use a cookie that was not received through Sentry. The back-end session cookie path, domain, and timeout can also be overridden. These settings protect against various threats including insecure back-end service cookie configuration.

Secure cookie and http only cookie -Applies to all back-end server set cookies. These options verify that the secure and HTTP only flags are set.


WAF vs API Security Gateway

As mentioned earlier, an API Security Gateway is not a replacement for  WAF. Some important differences / concepts are outlined below.

1. Topology

WAF --> Not all WAFs are "inline", some are transparent proxies, some layer 2 bridges, some reverse proxys

Sentry --> Sentry is a reverse proxy that does a full protocol break for deep content inspection

2. Protocols and Message Formats

WAF --> Typically used for Web 2.0, HTML, XML, JSON, AJAX, Flash over HTTP/HTTPS

Sentry --> Message formats include: XHTML, XML, SOAP, JSON, AS2, ebXML, SAML,  XML-Sec, WS-Sec, WSDL, XSD, WS-Trust, XACML, WS-Addressing, WS-RM, WS-Policy, Xpath, XSLT

Network protocols: HTTP, HTTPS SSL / TLS JMS (IBM, Tibco, JBoss, Oracle, Active MQ) AMQP FTP/FTPS SFTP SMTP

This includes protocol mixing/switching/bridging.

3. Threat Mitigation

WAF --> HTML Content Aware, Intrusion Detection and Prevention (URI patterns), URI rate-based heuristics, Vendor Vulnerabilities, URL cloaking / rewrite, Parameter Inspection, Learning mode

Sentry --> XML/SOAP/REST Content Aware, Intrusion Detection and Prevention (parsing and deep-inspection), Rate-based, Size-Based heuristics, Schema Validation, Virus detection on XML/SOAP payloads, URL cloaking / rewrite, 
XML Parser Attacks

4. Transaction Privacy

WAF --> Content Encoding / Compression HTML Compression, Gzip, SSL / TLS

Sentry --> Content Encryption( XML-Encryption, WS-Security, symmetric key, OpenPGP), Content Decryption (XML-Decryption, WS-Security, symmetric key, OpenPGP), HTML Compression, SHA-2 Hash and BASE64 Encoding, SSL / TLS

5. Transaction Integrity

WAF --> Session Tracking (Cookies, Source/Dest IPs), HTTP RFC conformance, HTML Form parameter checking, Cross-Site Scripting, Cookie Signing

Sentry -->Digital Signature (XML-DSIG, OASIS WS-Security DSIG, OpenPGP), Signature Verification, X509 Path Validation, 
Schema Validation (DTD, XSD, JSON), HTTP RFC Conformance, cookie session management

6. Identity & Access Control

WAF --> Native Identity Integrations (AD, LDAP, RADIUS), Protocol Tokens (Basic, Digest, Form Post, SSL X509, NTLM, Kerberos)

Sentry --> Identity Integrations (AD, LDAP, Siteminder, Tivoli AM, ClearTrust, Kerberos KDC, CoreID, JSAM, WS-Trust, XACML, OAuth), Message-Based Tokens (WS-Username, WS-Kerberos, WS-X509, SAML, DSIG), Protocol Tokens (Basic, Digest, Form Post, Cookie, SSL X509, REST URI, NTLM, Kerberos), Credential Translation (Message-to-Protocol, Protocol-to-Message), SSO + Federation (Sessions, SAML, STS, OAuth)

7. Processing and Workflow Management

WAF --> Allow/Deny, URL Rewrite, Compression, Content Replacement

Sentry --> Attribute Mapping, Archiving, Content-Based Routing, Database Mapping, Digital Signatures, Header and Body Identification, Identity Token Conversion, Enrichment Data Aggregation, Encryption, Node Conversion and Encoding, 



WAF != API Security Gateway 
WAF + API Security Gateway = Secure Architecture


Article is closed for comments.