Forum Sentry WAF policies can be used in conjunction with other Sentry policies to help prevent against the OWASP Top 10 vulnerabilities.
Forum Sentry is an API Security Gateway, not a Web Application Firewall (WAF). The WAF component features of Forum Sentry provide a subset of the capabilities inherent to a stand-alone WAF product. It is important to note that API Security Gateways and WAFs are not replacements for each other, but rather complimentary security technology components that should both be deployed at the security tier (refer to section "WAF vs API Security Gateway" below for more details).
How WAF Policies are Implemented in Forum Sentry
Best practice is to use WAF policies only on specific policies that may have a vulnerability (i.e. the remote server is issuing a cookie, there is a requirement to check parameter values, the service utilizes a SQL database directly, etc..).
There are no default WAF policies. WAF policies are built independently and then associated to the Content Policies on the Settings Tab. WAF policies can filter URLs and headers via Rules, as well as ensure remote servers are setting secure cookies.
WAF Rules reference Value Types for various criteria. There are set of predefined Value Types that map to the OWASP top 10 vulnerabilities that ship with Sentry. The predefined set of Value Types are completely customizable and new Value Types can be built. When building a WAF Rule you specify the following:
Path: The path that this WAF rule will be applicable for
Parameter Type: The content to scan (i.e. http header, query parameter, etc.
Parameter Name: The name of the header, parameter, etc.. to scan
Value Type: The Value Type to use as criteria
Required: Whether the Parameter Type specified is required to exist
WAF Session Security
The WAF session security settings apply to cookies set by the back-end server that are coming back through Sentry. These options are detailed below:
Track session cookies - Signs the specified back-end server session cookie so that a client cannot tamper with the cookie, generate a different cookie, or use a cookie that was not received through Sentry. The back-end session cookie path, domain, and timeout can also be overridden. These settings protect against various threats including insecure back-end service cookie configuration.
Secure cookie and http only cookie -Applies to all back-end server set cookies. These options verify that the secure and HTTP only flags are set.
WAF vs API Security Gateway
As mentioned earlier, an API Security Gateway is not a replacement for WAF. Some important differences / concepts are outlined below.
WAF --> Not all WAFs are "inline", some are transparent proxies, some layer 2 bridges, some reverse proxys
Sentry --> Sentry is a reverse proxy that does a full protocol break for deep content inspection
2. Protocols and Message Formats
WAF --> Typically used for Web 2.0, HTML, XML, JSON, AJAX, Flash over HTTP/HTTPS
Sentry --> Message formats include: XHTML, XML, SOAP, JSON, AS2, ebXML, SAML, XML-Sec, WS-Sec, WSDL, XSD, WS-Trust, XACML, WS-Addressing, WS-RM, WS-Policy, Xpath, XSLT
Network protocols: HTTP, HTTPS SSL / TLS JMS (IBM, Tibco, JBoss, Oracle, Active MQ) AMQP FTP/FTPS SFTP SMTP
This includes protocol mixing/switching/bridging.
3. Threat Mitigation
WAF --> HTML Content Aware, Intrusion Detection and Prevention (URI patterns), URI rate-based heuristics, Vendor Vulnerabilities, URL cloaking / rewrite, Parameter Inspection, Learning mode
Sentry --> XML/SOAP/REST Content Aware, Intrusion Detection and Prevention (parsing and deep-inspection), Rate-based, Size-Based heuristics, Schema Validation, Virus detection on XML/SOAP payloads, URL cloaking / rewrite,
XML Parser Attacks
4. Transaction Privacy
WAF --> Content Encoding / Compression HTML Compression, Gzip, SSL / TLS
Sentry --> Content Encryption( XML-Encryption, WS-Security, symmetric key, OpenPGP), Content Decryption (XML-Decryption, WS-Security, symmetric key, OpenPGP), HTML Compression, SHA-2 Hash and BASE64 Encoding, SSL / TLS
5. Transaction Integrity
WAF --> Session Tracking (Cookies, Source/Dest IPs), HTTP RFC conformance, HTML Form parameter checking, Cross-Site Scripting, Cookie Signing
Sentry -->Digital Signature (XML-DSIG, OASIS WS-Security DSIG, OpenPGP), Signature Verification, X509 Path Validation,
Schema Validation (DTD, XSD, JSON), HTTP RFC Conformance, cookie session management
6. Identity & Access Control
WAF --> Native Identity Integrations (AD, LDAP, RADIUS), Protocol Tokens (Basic, Digest, Form Post, SSL X509, NTLM, Kerberos)
Sentry --> Identity Integrations (AD, LDAP, Siteminder, Tivoli AM, ClearTrust, Kerberos KDC, CoreID, JSAM, WS-Trust, XACML, OAuth), Message-Based Tokens (WS-Username, WS-Kerberos, WS-X509, SAML, DSIG), Protocol Tokens (Basic, Digest, Form Post, Cookie, SSL X509, REST URI, NTLM, Kerberos), Credential Translation (Message-to-Protocol, Protocol-to-Message), SSO + Federation (Sessions, SAML, STS, OAuth)
7. Processing and Workflow Management
WAF --> Allow/Deny, URL Rewrite, Compression, Content Replacement
Sentry --> Attribute Mapping, Archiving, Content-Based Routing, Database Mapping, Digital Signatures, Header and Body Identification, Identity Token Conversion, Enrichment Data Aggregation, Encryption, Node Conversion and Encoding,
WAF != API Security Gateway
WAF + API Security Gateway = Secure Architecture