450 likes | 1.97k Views
Outlines. What is a web firewall ?Significance of web firewall.Mod Security as a web security firewall.Features of mod security.Deployment Architectures.Models of ModSecurity
E N D
1. Apache with modsecurity Presented By
Aruna Rawat
aruna.rawat@yale.eduInformation Security Office
2. Outlines What is a web firewall ?
Significance of web firewall.
Mod Security as a web security firewall.
Features of mod security.
Deployment Architectures.
Models of ModSecurity –Prevention Mode
Questions ?
Where to get more help on ModSecurity?
3. What is a Web Application firewall ? An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy.
Web application firewalls are deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications.
4. Why Use Web Application Firewalls? Web applications are deployed terribly insecure.
Developers should, of course, continue to strive to build better/more secure software.
But in the meantime, sysadmins must do something about it.
Insecure applications aside, WAFs are an important building block in every HTTP network.
5. Network Firewalls Do Not Work For HTTPNeither do IDS/IPS solutions. Makes access control decisions based on network ports and IP addressesMakes access control decisions based on network ports and IP addresses
6. Importance of WAF A web application firewall is used as a security device protecting the web server from attack.
In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.
Understands HTTP/HTTPS/Web Services
Can be trained to understand the application-- Input, Session, Authentication……….. Make access decision based on http request and responseMake access decision based on http request and response
7. Open Source Approach Apache + ModSecurity
ModSecurity 2.x works only with Apache 2.0.x or higher. Version 2.2.x is highly recommended.
8. Apache One of the most used open source products.
Available on many platforms.
Free, fast, stable and reliable.
Expertise widely available.
Apache 2.2.x (finally!) released with many improvements: Improved authentication. Improved support for caching. Significant improvements to the mod_proxy code (and load balancing support). Ideal reverse proxy. Ideal reverse proxy.
9. What is Mod Security ? ModSecurity™is an open source, free web application firewall (WAF) Apache module.
Free, open source, commercially supported.
It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
Popular and very widely used.
Fast, reliable and predictable. Embedded Proxy:Embedded Proxy:
10. Features of Mod Security Request filtering; incoming requests are analyzed as they come in, and before they get handled by the web server or other modules. •
Anti-evasion techniques; paths and parameters are normalized before analysis takes place in order to fight evasion techniques. •
Understanding of the HTTP protocol; since the engine understands HTTP, it performs very specific and fine granulated filtering. •
11. (Cont…) Features of Mod Security POST payload analysis; the engine will intercept the contents transmitted using the POST method, too. •
Audit logging; full details of every request (including POST) can be logged for later analysis. •
HTTPS filtering; since the engine is embedded in the web server, it gets access to request data after decryption takes place.
12. Mod_Security: Features Anti-evasion techniques –Remove multiple forward slash characters –Treat backslash and forward slash characters equally (Windows only) –Remove directory self-references –Detect and remove null-bytes (%00)–Decode URL encoded characters
13. (Cont..) Mod_Security: Features •Special built-in checks –URL encoding validation –Unicode encoding validation –Byte range verification to detect and reject shellcode
14. (Cont..) Mod_Security: Features Rules –Any number of custom rules supported –Rules are formed using regular expressions –Negated rules supported –Each container (VirtualHost, Location, ...) can have different configuration --Analyzes headers –Analyzes individual cookies –Analyzes environment variables –Analyzes server variables –Analyzes individual page variables –Analyzes POST payload –Analyzes script output
15. (Cont..) Mod_Security: Features Actions –Reject request with status code –Reject request with redirection –Execute external binary on rule match –Log request –Stop rule processing and let the request through –Rule chaining –Skip next xnumber of rules on match –Pauses for a number of milliseconds
16. Mod_Security: Features •Change the identity of the web server
•Easy to use internal chroot functionality
•Audit log to log complete requests
•Debug log
•Smart enough to apply rules only to dynamic resources
17. Why use ModSecurity ? HTTP Traffic LoggingModSecurity makes full HTTP transaction logging possible, allowing complete requests and responses to be logged.Its logging facilities also allow fine-grained decisions to be made about exactly what is logged and when, ensure only the relevant data is recorded. Logging HTTP field details can drain resources on the server. Web servers are typically well-equipped to log traffic in a form useful for marketing analyses, but fall short when it comes to logging of traffic to web applications.
Especially good for servers that did not have logging in mind.Web servers are typically well-equipped to log traffic in a form useful for marketing analyses, but fall short when it comes to logging of traffic to web applications.
Especially good for servers that did not have logging in mind.
18. Cont….Why use ModSecurity ? Real-Time Monitoring and Attack DetectionModSecurity can monitor the HTTP traffic in real time in order to detect attacks.
Based on each input field, validate the input--Length, data type, range of values
Help track sessions and detect temperingIn this case ModSecurity operates as a web intrusion detection tool, allowing you to react to suspicious events that take place at your web systems. Detect and block known attack pattern after deep inspection in HTTP layerDetect and block known attack pattern after deep inspection in HTTP layer
19. Security Models Attack Prevention: Security Model
There are four commonly used approaches:
1.) Negative security model.looks for known bad, malicious requests.This method is effective at blocking a large number of automated attacks, however it is not the best approach for identifying new attack vectors 1.) It keeps anomaly scores for each request, IP addresses, application sessions, and user accounts. Requests with high anomaly scores are either logged or rejected altogether. 1.) It keeps anomaly scores for each request, IP addresses, application sessions, and user accounts. Requests with high anomaly scores are either logged or rejected altogether.
20. Cont…. Security Models 2.) Virtual Patching: Known weaknesses and vulnerabilities.With ModSecurity, applications can be patched from the outside, without touching the application source code (and even without any access to it), making your systems secure until a proper patch is produced. E.g; Filtering HTML tags in input to block cross site scripting 2.) External patching is all about reducing the window of opportunity. Time needed to patch application vulnerabilities often runs to weeks in many organisations
2.) External patching is all about reducing the window of opportunity. Time needed to patch application vulnerabilities often runs to weeks in many organisations
21. Example “Apache Chunking Exploit” If we add in the following Mod_Security directive: SecFilterSelective HTTP_TRANSFER_ENCODING "chunked“
Logs [Sun Mar 30 18:27:29 2003] [error] [client 127.0.0.1] mod_security: Access denied with code 403. Pattern match "chunked" at HEADER. For example, when the Apache Chunking exploit was released, it included information about what parameters the client could send to exploit this vulnerability. Armed with this information, we can now edit the httpd.conf file and add in new filters to protect our Apache servers until a new patch is available.
We can deny any client requests that try to exploit this vulnerability. After implementing this directive and trying to exploit this vulnerability, Mod_Security logs the attack in the error_log with the following entry: For example, when the Apache Chunking exploit was released, it included information about what parameters the client could send to exploit this vulnerability. Armed with this information, we can now edit the httpd.conf file and add in new filters to protect our Apache servers until a new patch is available.
We can deny any client requests that try to exploit this vulnerability. After implementing this directive and trying to exploit this vulnerability, Mod_Security logs the attack in the error_log with the following entry:
22. Cont…. Security Models 3.) Positive security model. When positive security model is deployed, only requests that are known to be valid are accepted, with everything else rejected. This approach works best with applications that are heavily used but rarely updated. This approach works best with applications that are heavily used but rarely updated.
23. Cont…. Security Models 4.) Extrusion Detection ModelModSecurity can also monitor outbound data and identify and block information disclosure issues such as leaking detailed error messages or Social Security Numbers or Credit Card Numbers.
24. Processing Phases ModSecurity 2.x allows rules to be placed in one of the following five phases:
Request headers (REQUEST_HEADERS)
Request body (REQUEST_BODY)
Response headers (RESPONSE_HEADERS)
Response body (RESPONSE_BODY)
Logging (LOGGING)
26. Deployment Two choices when it comes to deployment:
Reverse proxy.
Embedded in web server.
27. Apache + ModSecurity Deploy as reverse proxy:Pick a nice serverInstall Apache 2.2.x.Add ModSecurity.Add SSL acceleration card (optional).
Or simply run ModSecurity in embedded mode. *that increases security, detects and prevents attacks before they reach web applications. *that increases security, detects and prevents attacks before they reach web applications.
28. Deploy as a network gateway combining Apache working as reverse proxy with ModSecurity. Requires network re-configuration.Requires network re-configuration.
29. Mod_Security as a Reverse Proxy •Single point of access
•Increased performance
•Network isolation
•Network topology hidden from the outside world
•You can implement filters to protect “vulnerable”web servers –Until patches are available
30. Embedded Approach Does not require network re-configuration.Does not require network re-configuration.
31. ModSecurity Core Rules™ Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the Core Rules provide generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded. ModSecurity is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity must be configured with rules. In order to enable users to take full advantage of ModSecurity out of the box, Breach Security, Inc. is providing a free certified rule set for ModSecurity 2.x.
ModSecurity is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity must be configured with rules. In order to enable users to take full advantage of ModSecurity out of the box, Breach Security, Inc. is providing a free certified rule set for ModSecurity 2.x.
32. (Cont..) ModSecurity Core Rules™ In order to provide generic web applications protection, the Core Rules use the following techniques:
HTTP protection - detecting violations of the HTTP protocol and a locally defined usage policy.
Common Web Attacks Protection - detecting common web application security attack.
Automation detection - Detecting bots, crawlers, scanners and other surface malicious activity.
Trojan Protection - Detecting access to Trojans horses.
Error Hiding - Disguising error messages sent by the server.
33. Short overview of what is happening on every request # Parse the request. This is mostly straightforward, except when you have to deal with a POST request where getting the body of the request can be difficult.
# Perform canonization and anti-evasion actions. A series of transformations is performed to transform the input into a form that is suitable for analysis. This step will fight against various evasive techniques attackers may use: null byte attacks, self-referencing directories, multiple slash characters, using backslash characters on Windows, etc.
34. Short overview of what is happening on every request (2) #Perform special built-in checks. This step contains more complicated validations such URL encoding validation and Unicode encoding validation. You can also choose to allow only certain byte values in the request to fight shellcode.
#Execute input rules. This is where your custom rules come into action. They work by allowing you to analyse every aspect of a request using regular expressions. In addition to this, several rules can be combined for more complex analysis.
35.
Execute output rules. Output rules are applied to the response body. They are very useful to prevent information leaks.
Log the request. Log the complete request consisting of input and output headers, and the request body. To prevent excessive logging, mod_security can be configured to log only what's relevant, such as requests that have triggered a response from mod_security.
36. ModSecurity: New in Version 2.5 Geo IP resolution.
Parallel Text Matching
Credit Card Number Detection.
Support for content injection.
Automated rule updates.
1.) The 2.5 code archive includes a supporting tool called rules-updater.pl that can be used to periodically check the ModSecurity Rules Repository to automatically download new rules. 1.) The 2.5 code archive includes a supporting tool called rules-updater.pl that can be used to periodically check the ModSecurity Rules Repository to automatically download new rules.
37. Final Thoughts No system is 100% secure •
Majority of attacks can be effectively deterred by minimal security measures
Consider the issues discussed and determine their relevance to your environment
Thank you for your time
Questions? "The only 100% Secure System, is the one that is not plugged into the network and is still in it's cardboard box." "The only 100% Secure System, is the one that is not plugged into the network and is still in it's cardboard box."
38. More Information on Modsecurity http://www.modsecurity.org
http://www.breach.com/Mailing list
http://lists.sourceforge.net/lists/listinfo/mod-security-users.Books
Apache Security by Ivan Ristic, O'Reilly Media, Inc. ISBN - 0596007248
Preventing Web Attacks with Apache by Ryan Barnett, Addison-Wesley Professional. ISBN - 0321321286