220 likes | 383 Views
Secure Web Gateway with mod_security and mod_proxy. Topics that will be covered. Introduction to Web application firewall Web security and mod_proxy Web security and mod_security Configuring a secure web gateway Next steps. Web Application Firewall. Defined as :
E N D
Topics that will be covered • Introduction to Web application firewall • Web security and mod_proxy • Web security and mod_security • Configuring a secure web gateway • Next steps
Web Application Firewall Defined as : "An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack.“ - Web Application Security Consortium Glossary
Web Application Firewall Most firewalls do not, for various reasons, inspect packets at the application layer. They usually rely on packet header inspection and compare these parameters with rules bases. This lack of application layer inspection means that firewalls cannot provide adequate protection for Web Servers. This makes it necessary to have Web Application Firewalls.
Web Application Firewall (cont’d) • Also call “Deep packet inspection firewalls” • Look for every request and response within the HTTP/HTTPS/SOAP/XML-RPC/Web Service layers • Web Application Firewalls can be either software, or hardware appliance based • Installed in front of a webserver in an effort to try and shield it from incoming attacks.
Web security and mod_proxy • A proxy is a device that stands between two entities participating in a conversation • Mod_proxy is an Apache module that is available by default • It protects one or more Web servers residing on an internal network providing services to outside clients
Web security and mod_proxy (cont’d) • When configured as a reverse proxy it becomes a useful tool to help prevent security attacks • Serves as a single point of access thus allowing administrators to apply other tools to monitor traffic at one central place
Web security and mod_proxy (cont’d) • Usually configured on a separate server (different from the actual web server). This is to minimize the risk. • Serves as an additional firewall layer since it ‘hides’ the actual web servers and the operating systems that they are hosted on
Web security and mod_proxy (cont’d) • Apache 2.x is a better choice for a reverse proxy because it contains the new filtering API, allowing modules to see and interact with the request body as it comes in and with the response as it comes out. This is important for an application gateway since it must check the information that passes through before it reaches the recipient
Web security and mod_security • Mod_security is an Apache module that detects and prevents intrusion • Normally configured such that it is between the client and the web server • Analyses network traffic at the HTTP layer
Web security and mod_security (cont’d) • Allows the administrator to define custom input and output rules to perform specific actions • Offers forensic logging to record a full activity log, including POST-based attacks.
Web security and mod_security (cont’d) • The sequence of events that happen with mod_security when an HTTP request comes is : • Parse the request • Perform canonization and anti-evasion actions • Perform special built-in checks • Execute input rules
Web security and mod_security (cont’d) • Mod_security also monitors the response : • Execute output rules • Log the complete request consisting of input and output headers, and the request body
Configuring a secure web gateway • The reverse proxy would need to be configured first • To configure a reverse proxy, add the following directives in httpd.conf : • ServerName example.com • ProxyPass / http://backend.example.com/ • ProxyPassReverse / http://backend.example.com/
Configuring a secure web gateway • The next step is to configure mod_security • # Enable mod_security • SecFilterEngine On • # Scan request body • SecFilterScanPOST On • # Scan response body • SecFilterScanOutput On • # Check URL encoding • SecFilterCheckURLEncoding On
Configuring a secure web gateway • # Only allow certain byte values to be a part of the request. • SecFilterForceByteRange 1 255 • # Audit log logs complete requests. Configured as below it will only log invalid requests for further analysis. • SecAuditEngine RelevantOnly • SecAuditLog logs/audit_log
Configuring a secure web gateway • # By default, deny requests with status 500 • SecFilterDefaultAction "deny,log,status:500" • # Custom mod_security rules here • # ...
Configuring a Secure web gateway These rules will target the common Web application attacks: # Command execution attacks SecFilter /etc/password SecFilter /bin/ls # Directory traversal attacks SecFilter "\.\./" # XSS attacks SecFilter "<(.|\n)+>" SecFilter "<[[:space:]]*script"
Configuring a secure web gateway Rules to prevent SQL injection attacks • SecFilter "delete[[:space:]]+from" • SecFilter "insert[[:space:]]+into" • SecFilter "select.+from"
Configuring a secure web gateway Stop FormMail from being used to send spam Some versions of FormMail can be used to send email to arbitrary email addresses. The following rule demonstrates how you can have a filter applied only to certain locations, in this case just the FormMail script. The request will be rejected if the email is intended to any address except the one ending in "@modsecurity.org": <Location /cgi-bin/FormMail> SecFilterSelective "ARG_recipient" "!@modsecurity\.org$" </Location>
Next steps Prevent cookie poisoning/tampering by allowing crypto signing of cookies Strip comments - mod_security should clean up all comments before sending the response out to the client
Next steps Another security measure is the crypto-signing of form hidden fields and signing the forms itself, to prevent the values from being modified in the quantity, names, etc. of the inputs of the form