ModSecurity is an open source
intrusion detection and prevention engine for web applications. It operates
embedded into the web server, acting as a powerful umbrella - shielding
applications from attacks. ModSecurity supports both branches of the Apache web
server.
ModSecurity: Overview
With
over 70% of all attacks now carried out over the web application level,
organisations need every help they can get in making their systems secure. Web
application firewalls are deployed to establish an external security layer that
increases security, detects, and prevents attacks before they reach web
applications.
HTTP Traffic Logging
Web
servers are typically well-equipped to log traffic in a form useful for
marketing analyses, but fall short when it comes to logging of traffic to web
applications. In particular, most are not capable of logging the request
bodies. Your adversaries know this, and that is why most attacks are now
carried out via POST requests, rendering your systems blind.
ModSecurity
makes full HTTP transaction logging possible, allowing complete requests and
responses to be logged. Its logging facilities also allow fine-grained
decisions to be made about exactly what is logged and when, ensure only the
relevant data is recorded.
Real-Time Monitoring and Attack Detection
In
addition to providing logging facilities, ModSecurity can monitor the HTTP
traffic in real time in order to detect attacks. In this case ModSecurity
operates as a web intrusion detection tool, allowing you to react to suspicious
events that take place at your web systems.
Attack Prevention and Just-in-time Patching
ModSecurity
can also act immediately to prevent attacks from reaching your web
applications. There are three commonly used approaches:
- Negative security model. Negative security model monitors
requests for anomalies, unusual behaviour, and common web application
attacks. It keeps anomaly scores for each request, IP addresses,
application sessions, and user accounts. Requests with high anomaly scores
are either logged or rejected altogether.
- Known weaknesses and vulnerabilities. Its rule language makes ModSecurity an
ideal external patching tool. External patching is all about reducing the
window of opportunity. Time needed to patch application vulnerabilities
often runs to weeks in many organisations. With ModSecurity, applications
can be patched from the outside, without touching the application source
code (and even without any access to it), making your systems secure until
a proper patch is produced.
- Positive security model. When positive security model is
deployed, only requests that are known to be valid are accepted, with
everything else rejected. This approach works best with applications that
are heavily used but rarely updated.
Flexible Rule Engine
A flexible
rule engine sits in the heart of ModSecurity. It implements the ModSecurity
Rule Language, which is a specialised programming language designed to work
with HTTP transaction data. The ModSecurity Rule Language was designed to be
easy to use, yet flexible: common operations are simple while complex
operations are possible.
Certified
ModSecurity Rules, included with subscription to ModSecurity, contain a
comprehensive set of rules that implement general-purpose hardening, common web
application security issues. Heavily commented, these rules can be used as a
learning tool.
Embedded Deployment
ModSecurity
is an embeddable web application firewall, which means it can be deployed as
part of your existing web server infrastructure provided your web servers are
Apache-based.
This
deployment method has certain advantages:
- No changes to existing network. It
only takes a few minutes to add ModSecurity to your existing web servers.
And because it was designed to be completely passive by default, you are
free to deploy it incrementally and only use the features you need. It is
equally easy to remove or deactivate it should decide you don't want it
any more.
- No single point of failure. Unlike
with network-based deployments, you will not be introducing a new point of
failure to your system.
- Implicit load balancing and scaling.
Because it works embedded in web servers, ModSecurity will automatically
take advantage of the additional load balancing and scalability features.
You will not need to think of load balancing and scaling unless your
existing system needs them.
- Minimal overhead. Because it works
from inside the web server process there is no overhead for network
communication and minimal overhead in parsing and data exchange.
- No problem with encrypted or
compressed content. Many IDS systems have difficulties analysing SSL
traffic. This is not a problem for ModSecurity because it is positioned to
work when the traffic is decrypted and decompressed.
ModSecurity
is known to work well on a wide range of operating systems. Our customers are
successfully running it on Linux, Windows, Solaris, FreeBSD, OpenBSD, NetBSD,
AIX, Mac OS X, and HP-UX.
Network-Based Deployment
ModSecurity
works equally well when deployed as part of an Apache-based reverse proxy
server, and many of our customers choose to do so. In this scenario, one
installation of ModSecurity can protect any number of web servers (even the
non-Apache ones).
Also See for Securing Apache Server
0 comments:
Post a Comment