|
Written by David Torre
|
|
Page 1 of 9
Definition of a WAFUnlike the general-purpose firewall which endures the daunting task of inspecting dozens of different applications, the sole purpose of the web application firewall or “WAF” is to protect web applications exclusively. As such, the WAF has intimate knowledge of the HTTP protocol, as well as associated vulnerabilities often found in web-based applications. WAF technology has seen increased interest with recent changes to Payment Card Industry Data Security Standards. PCI DSS Requirement 6.6 now requires public-facing web applications to either undergo annual security reviews, or alternatively, install proactive web application firewalls between the web application and Internet users.
The WAF is not merely another redundant firewall within your infrastructure. Technically, WAFs bear a closer resemblance to HTTP proxies. As with web proxies, web clients making direct connections to your web application must first connect to an intermediate control point which inspects the characteristics of the web request. If the request is benign, it is then forwarded off to the actual web application. However, things don't end there. Once the response is generated by the web application, it is again filtered through this intermediate control point prior to being sent back to the requesting user. This transparent, bidirectional filtering process is conducted in order to prevent both inbound exploits, as well as outbound information leakage.
<< Start < Prev 1 2 3 4 5 6 7 8 9 Next > End >>
|
|
Last Updated on Saturday, 21 November 2009 09:47 |
Feed Entries 
White Papers 
