web intrusion detection with modsecurity
Post on 03-Jun-2018
231 Views
Preview:
TRANSCRIPT
-
8/12/2019 Web Intrusion Detection With ModSecurity
1/49
-
8/12/2019 Web Intrusion Detection With ModSecurity
2/49
2 / 50Web Intrusion Detection with ModSecurity
Aim of This Talk
Discuss the state of Web Intrusion DetectionIntroduce ModSecurity
Introduce an open source web appication
firewa! consistin" of #pache and ModSecurityDiscuss what can be done to detect
and prevent appication attacks
-
8/12/2019 Web Intrusion Detection With ModSecurity
3/49
-
8/12/2019 Web Intrusion Detection With ModSecurity
4/49
$ / 50Web Intrusion Detection with ModSecurity
Talk %&er&iew
'( What is the "roblem!2( Web intrusion detection a""roaches
( Web a""lication firewalls
$( ModSecurity5( A""lication)based IDS
-
8/12/2019 Web Intrusion Detection With ModSecurity
5/49
5 / 50Web Intrusion Detection with ModSecurity
1. What Is theProblem?
-
8/12/2019 Web Intrusion Detection With ModSecurity
6/49
* / 50Web Intrusion Detection with ModSecurity
What is the +roblem! ,'-
+he word is "oin" Web! companies must opentheir systems to their customers and partners.
,ort -( is used for everythin" now.
Web appications! web services.assic firewa architectures do not hep any
more.
-
8/12/2019 Web Intrusion Detection With ModSecurity
7/49
. / 50Web Intrusion Detection with ModSecurity
irewalls Do ot Work
Firewall
Port 80HTTP Traffic
Web
Client
Web
Server
Application
Application
Database
Server
-
8/12/2019 Web Intrusion Detection With ModSecurity
8/49
1 / 50Web Intrusion Detection with ModSecurity
What is the "roblem! ,2-
Web deveopment is a mess.Web appications are not secure.
Web appication security fied is "ettin" there!
but it&s sti youn".Web servers do not provide the correct toos
/e.". auditin"0.
+he awareness is risin" but we have a on" way
to "o.
-
8/12/2019 Web Intrusion Detection With ModSecurity
9/49
/ 50Web Intrusion Detection with ModSecurity
In the Ideal World
Security thou"ht out at the be#innin#of the pro1ectandthrou#hout.
Security re2uirements e3ist! security "olicyis defined.
Threat modellin#is used to discover threats.
De&elo"ers trainedin appication security! a securitys"ecialistis on board.
3ode re&iewsare performed.
-
8/12/2019 Web Intrusion Detection With ModSecurity
10/49
-
8/12/2019 Web Intrusion Detection With ModSecurity
11/49
'' / 50Web Intrusion Detection with ModSecurity
Where We Stand ,'-
Doin" it ri"ht from the start is better6 deveopers shouddesi"n and deveop secure software.7ut6 it is not possibe nor feasibe to achieve 8((9
security. :ven "ettin" cose is difficut.7ut6 you have to use third;party products which are of
unknown 2uaity.7ut6 you have to ive with the e3istin" systems.
-
8/12/2019 Web Intrusion Detection With ModSecurity
12/49
'2 / 50Web Intrusion Detection with ModSecurity
Where We Stand ,2-
+he appication security community wi work toincrease awareness and educate deveopers.
ou can do this within your or"anisation.
It wi take a whie.
In the meantime! do anythin" you can toincrease security.
-
8/12/2019 Web Intrusion Detection With ModSecurity
13/49
' / 50Web Intrusion Detection with ModSecurity
What 3an 6ou Do! ,'-
7y a means! if you can improve the software =do it
7ut it is more ikey that you wi have to attemptto increase security from the outside.
It is not easy.ou& have to put insecure appications into
secure environments.
-
8/12/2019 Web Intrusion Detection With ModSecurity
14/49
'$ / 50Web Intrusion Detection with ModSecurity
What 3an 6ou Do! ,2-
4se threat modein" for depoyment todetermine the threats.
+hen correct architectura issues that can becorrected.
4se network desi"n toos to increase security byimitin" e3posure.
-
8/12/2019 Web Intrusion Detection With ModSecurity
15/49
-
8/12/2019 Web Intrusion Detection With ModSecurity
16/49
'* / 50Web Intrusion Detection with ModSecurity
What 3an 6ou Do! ,$-
Monitorin#6 know what happened.Detection6 know when you are bein" attacked.
+re&ention6 stop attacks before they succeed.
Assessment6 discover probems before theattackers do.
-
8/12/2019 Web Intrusion Detection With ModSecurity
17/49
'. / 50Web Intrusion Detection with ModSecurity
2. Web IntrusionDetection Approaches
-
8/12/2019 Web Intrusion Detection With ModSecurity
18/49
'1 / 50Web Intrusion Detection with ModSecurity
What is Intrusion Detection!
Intrusion Detection is a method of detectin"attacks by monitorin" traffic or system events.
Most peope mean C/etwork0 IDS when they sayIDS.
7ut there is aso ost;based IDS! and otherhybrid approaches.
-
8/12/2019 Web Intrusion Detection With ModSecurity
19/49
' / 50Web Intrusion Detection with ModSecurity
IDS A""lied to Web
+raffic can be overwhemin".:ncryption /SSE0 makes data invisibe.
ompression makes data hard to see.
Desi"ned to work at the +,$I, eve! not aseffective for ++,.
:vasion is a probem.
7ottom ine6 CIDS is not suitabe for appication;eve protection.
-
8/12/2019 Web Intrusion Detection With ModSecurity
20/49
20 / 50Web Intrusion Detection with ModSecurity
7&olution of IDS
Deep;inspection *irewas6 vendors are buidin"++, e3tensions and makin" improvements.
#ppication *irewa /a.k.a #ppication Fateway0is born.
Web A""lication irewall/W#*0 is a reversepro3y with additiona security;reated features.
-
8/12/2019 Web Intrusion Detection With ModSecurity
21/49
2' / 50Web Intrusion Detection with ModSecurity
4atch Web Intrusion Detection
oect o"s at a sin"e ocation6Manua coection /cronG sc"0
Syso"
Spread tookit /mod8lo#8s"read0
Run a script periodicay to check the o"s.
,revention not possibe.
3an #o back in time9
-
8/12/2019 Web Intrusion Detection With ModSecurity
22/49
22 / 50Web Intrusion Detection with ModSecurity
:o#)based IDS in eal)time
oect o"s at a sin"e ocation usin" some rea timemethod /syslo#! mod8lo#8s"read0.
+ai and anayse the centra o" fie in rea;time.
S73/Simpe :vent orreator!
http6$$kodu.neti.ee$Hristo$sec$0 may be of hep.,revention sti not possibe.
-
8/12/2019 Web Intrusion Detection With ModSecurity
23/49
2 / 50Web Intrusion Detection with ModSecurity
3. Web ApplicationFirewalls
-
8/12/2019 Web Intrusion Detection With ModSecurity
24/49
2$ / 50Web Intrusion Detection with ModSecurity
Web A""lication irewalls
+hey understand ++, very we.an be appied seectivey to parts of the traffic.
+hey work after traffic is decrypted! or canotherwise terminate SSE.
,revention is possibe.
-
8/12/2019 Web Intrusion Detection With ModSecurity
25/49
25 / 50Web Intrusion Detection with ModSecurity
Web IDS Strate#ies ,'-
Cetwork;based6,rotects any web server
Works with many servers at once
Web server;based6oser to the appication
Eimited by the web server #,I
-
8/12/2019 Web Intrusion Detection With ModSecurity
26/49
2* / 50Web Intrusion Detection with ModSecurity
Web IDS Strate#ies ,2-
Simpe defence6Supports a imited number of pre;defined defences
Rue;based64ses rues to ook for known vunerabiities
%r rues to ook for casses of attack
Rey on rue databases
#nomay;based6
#ttempts to fi"ure out what norma operation means
-
8/12/2019 Web Intrusion Detection With ModSecurity
27/49
2. / 50Web Intrusion Detection with ModSecurity
Web IDS Strate#ies ,-
Ce"ative security mode6Deny what mi"ht be dan"erous.
Do you aways know what is dan"erousB
,ositive security mode6#ow what is known to be safe.
+ositi&e security model is better(
-
8/12/2019 Web Intrusion Detection With ModSecurity
28/49
21 / 50Web Intrusion Detection with ModSecurity
eatures ,'-
#udit o""in".Defend from specific attacks.
Defend from "enera attacks.
Defend from brute;force attacks.
-
8/12/2019 Web Intrusion Detection With ModSecurity
29/49
2 / 50Web Intrusion Detection with ModSecurity
eatures ,2-
:nforce cient;side vaidation. /:3ceent idea0Introduce per;session restrictions.
Eearn how appication works over time! thencreate a white ist.
-
8/12/2019 Web Intrusion Detection With ModSecurity
30/49
0 / 50Web Intrusion Detection with ModSecurity
7&asion Issues
Most IDS systems are watchin" for patterns andattackers know that.
+here are many ways to obfuscate attackcontent to prevent detection and sti make it
work.D%+/;;/TA4:7
-
8/12/2019 Web Intrusion Detection With ModSecurity
31/49
' / 50Web Intrusion Detection with ModSecurity
7&asion Techni>ues
Mi3ed case6 DeleTe romWhitespace6 D7:7T7 %M
Sef;referencin" fienames6 /etc/(/"asswd
Directory backreferences6 /etc/
-
8/12/2019 Web Intrusion Detection With ModSecurity
32/49
-
8/12/2019 Web Intrusion Detection With ModSecurity
33/49
-
8/12/2019 Web Intrusion Detection With ModSecurity
34/49
$ / 50Web Intrusion Detection with ModSecurity
%SS &s( 3ommercial ,2-
%pen Source6Do not have a the features of commercia offerin"s!
but have the ones that are reay important.
Co nice F4Is yet ; you have to "et your hands dirty!
understand how it works! and know the componentswe.
-
8/12/2019 Web Intrusion Detection With ModSecurity
35/49
5 / 50Web Intrusion Detection with ModSecurity
. !o"#securit$. !o"Securit$
-
8/12/2019 Web Intrusion Detection With ModSecurity
36/49
* / 50Web Intrusion Detection with ModSecurity
ModSecurity
%pen source6 htt"@//www(modsecurity(or#.F,E and commercia icensin".
*ree and commercia support avaiabe.
L)(( downoads per month in a 2uiet season5
"rowin" steadiy.#pache version /8.3 and '.30.
ava version /Servet *iter0 at some point in thefuture.
-
8/12/2019 Web Intrusion Detection With ModSecurity
37/49
. / 50Web Intrusion Detection with ModSecurity
7mbed Into Web Ser&er
Ine3pensive and easy to use since no chan"esto the network desi"n are re2uired.
7ut works ony for one web server.
Co practica impact on performance.
-
8/12/2019 Web Intrusion Detection With ModSecurity
38/49
1 / 50Web Intrusion Detection with ModSecurity
A"ache)based Web A""lication irewall
It is a reverse pro3y.:asy to insta and confi"ure.
reated out of defaut and third;party modues6modNpro3y
modNpro3yNhtm
modNsecurity
-
8/12/2019 Web Intrusion Detection With ModSecurity
39/49
/ 50Web Intrusion Detection with ModSecurity
ModSecurity eatures ,'-
#udit o""in".,rovides access to any part of the re2uest
/re2uest body incuded0 and the response.
*e3ibe re"uar e3pression;based rue en"ine.
Rues can be combined.:3terna o"ic can be invoked.
Supports unimited number of different poicies/per virtua host! foder! even a sin"e fie0.
-
8/12/2019 Web Intrusion Detection With ModSecurity
40/49
$0 / 50Web Intrusion Detection with ModSecurity
ModSecurity eatures ,2-
Supports fie upoad interception and rea;timevaidation /e.". anti;virus inte"ration0.
#nti;evasion buit in.
:ncodin" vaidation buit in.
7uffer overfow protection.
# variety of thin"s to do upon attack detection.
-
8/12/2019 Web Intrusion Detection With ModSecurity
41/49
$' / 50Web Intrusion Detection with ModSecurity
Sim"le ule 7
-
8/12/2019 Web Intrusion Detection With ModSecurity
42/49
$2 / 50Web Intrusion Detection with ModSecurity
Another 7
-
8/12/2019 Web Intrusion Detection With ModSecurity
43/49
-
8/12/2019 Web Intrusion Detection With ModSecurity
44/49
$$ / 50Web Intrusion Detection with ModSecurity
4eware of alse +ositi&es9
Some peope do this6Secilterbin/
7ut that prevents this6
htt"@//www(
-
8/12/2019 Web Intrusion Detection With ModSecurity
45/49
$5 / 50Web Intrusion Detection with ModSecurity
%. Application&base"
intrusion "etection
-
8/12/2019 Web Intrusion Detection With ModSecurity
46/49
$* / 50Web Intrusion Detection with ModSecurity
A""lication IDS ,'-
4se the appication as an IDS.#ppications view data in conte3t.
+he coser IDS "ets to appication o"ic = the better.
:ach software error is a potentia attack.
Eo" events to the appication event o".#t the very east use the response codes /500= error!
$0= permission probem0.
-
8/12/2019 Web Intrusion Detection With ModSecurity
47/49
$. / 50Web Intrusion Detection with ModSecurity
A""lication IDS ,2-
In ava! create a security Ser&let ilter.In .Cet! create a Jtt"Module.
In ,,! use auto8"re"endto e3ecute securitycode before the appication be"ins processin".
,,) /and ,,O with the ardened;,, patchappied0 has a specia hook that aows ane3tension to access the parameters before script
is started.
-
8/12/2019 Web Intrusion Detection With ModSecurity
48/49
$1 / 50Web Intrusion Detection with ModSecurity
A""lication IDS ,-
It is easy and fast to chan"e ibraries.*or e3ampe! chan"e the database abstraction
ibrary to detect SE comments and mutipe2ueries in a sin"e ca.
-
8/12/2019 Web Intrusion Detection With ModSecurity
49/49
top related