web intrusion detection with modsecurity

8/12/2019 Web Intrusion Detection With ModSecurity

1/49


2/49

2 / 50Web Intrusion Detection with ModSecurity

Aim of This Talk

Discuss the state of Web Intrusion DetectionIntroduce ModSecurity

Introduce an open source web appication

firewa! consistin" of #pache and ModSecurityDiscuss what can be done to detect

and prevent appication attacks


3/49


4/49

$ / 50Web Intrusion Detection with ModSecurity

Talk %&er&iew

'( What is the "roblem!2( Web intrusion detection a""roaches

( Web a""lication firewalls

$( ModSecurity5( A""lication)based IDS


5/49


1. What Is theProblem?


6/49

* / 50Web Intrusion Detection with ModSecurity

What is the +roblem! ,'-

+he word is "oin" Web! companies must opentheir systems to their customers and partners.

,ort -( is used for everythin" now.

Web appications! web services.assic firewa architectures do not hep any

more.


7/49

. / 50Web Intrusion Detection with ModSecurity

irewalls Do ot Work

Firewall

Port 80HTTP Traffic

Web

Client

Web

Server

Application

Application

Database

Server


8/49


What is the "roblem! ,2-

Web deveopment is a mess.Web appications are not secure.

Web appication security fied is "ettin" there!

but it&s sti youn".Web servers do not provide the correct toos

/e.". auditin"0.

+he awareness is risin" but we have a on" way

to "o.


9/49

/ 50Web Intrusion Detection with ModSecurity

In the Ideal World

Security thou"ht out at the be#innin#of the pro1ectandthrou#hout.

Security re2uirements e3ist! security "olicyis defined.

Threat modellin#is used to discover threats.

De&elo"ers trainedin appication security! a securitys"ecialistis on board.

3ode re&iewsare performed.


10/49


11/49

'' / 50Web Intrusion Detection with ModSecurity

Where We Stand ,'-

Doin" it ri"ht from the start is better6 deveopers shouddesi"n and deveop secure software.7ut6 it is not possibe nor feasibe to achieve 8((9

security. :ven "ettin" cose is difficut.7ut6 you have to use third;party products which are of

unknown 2uaity.7ut6 you have to ive with the e3istin" systems.


12/49

'2 / 50Web Intrusion Detection with ModSecurity

Where We Stand ,2-

+he appication security community wi work toincrease awareness and educate deveopers.

ou can do this within your or"anisation.

It wi take a whie.

In the meantime! do anythin" you can toincrease security.


13/49

' / 50Web Intrusion Detection with ModSecurity

What 3an 6ou Do! ,'-

7y a means! if you can improve the software =do it

7ut it is more ikey that you wi have to attemptto increase security from the outside.

It is not easy.ou& have to put insecure appications into

secure environments.


14/49

'$ / 50Web Intrusion Detection with ModSecurity

What 3an 6ou Do! ,2-

4se threat modein" for depoyment todetermine the threats.

+hen correct architectura issues that can becorrected.

4se network desi"n toos to increase security byimitin" e3posure.


15/49


16/49

'* / 50Web Intrusion Detection with ModSecurity

What 3an 6ou Do! ,$-

Monitorin#6 know what happened.Detection6 know when you are bein" attacked.

+re&ention6 stop attacks before they succeed.

Assessment6 discover probems before theattackers do.


17/49

'. / 50Web Intrusion Detection with ModSecurity

2. Web IntrusionDetection Approaches


18/49

'1 / 50Web Intrusion Detection with ModSecurity

What is Intrusion Detection!

Intrusion Detection is a method of detectin"attacks by monitorin" traffic or system events.

Most peope mean C/etwork0 IDS when they sayIDS.

7ut there is aso ost;based IDS! and otherhybrid approaches.


19/49


IDS A""lied to Web

+raffic can be overwhemin".:ncryption /SSE0 makes data invisibe.

ompression makes data hard to see.

Desi"ned to work at the +,$I, eve! not aseffective for ++,.

:vasion is a probem.

7ottom ine6 CIDS is not suitabe for appication;eve protection.


20/49


7&olution of IDS

Deep;inspection *irewas6 vendors are buidin"++, e3tensions and makin" improvements.

#ppication *irewa /a.k.a #ppication Fateway0is born.

Web A""lication irewall/W#*0 is a reversepro3y with additiona security;reated features.


21/49

2' / 50Web Intrusion Detection with ModSecurity

4atch Web Intrusion Detection

oect o"s at a sin"e ocation6Manua coection /cronG sc"0

Syso"

Spread tookit /mod8lo#8s"read0

Run a script periodicay to check the o"s.

,revention not possibe.

3an #o back in time9


22/49


:o#)based IDS in eal)time

oect o"s at a sin"e ocation usin" some rea timemethod /syslo#! mod8lo#8s"read0.

+ai and anayse the centra o" fie in rea;time.

S73/Simpe :vent orreator!

http6$$kodu.neti.ee$Hristo$sec$0 may be of hep.,revention sti not possibe.


23/49


3. Web ApplicationFirewalls


24/49

2$ / 50Web Intrusion Detection with ModSecurity

Web A""lication irewalls

+hey understand ++, very we.an be appied seectivey to parts of the traffic.

+hey work after traffic is decrypted! or canotherwise terminate SSE.

,revention is possibe.


25/49


Web IDS Strate#ies ,'-

Cetwork;based6,rotects any web server

Works with many servers at once

Web server;based6oser to the appication

Eimited by the web server #,I


26/49

2* / 50Web Intrusion Detection with ModSecurity

Web IDS Strate#ies ,2-

Simpe defence6Supports a imited number of pre;defined defences

Rue;based64ses rues to ook for known vunerabiities

%r rues to ook for casses of attack

Rey on rue databases

#nomay;based6

#ttempts to fi"ure out what norma operation means


27/49

2. / 50Web Intrusion Detection with ModSecurity

Web IDS Strate#ies ,-

Ce"ative security mode6Deny what mi"ht be dan"erous.

Do you aways know what is dan"erousB

,ositive security mode6#ow what is known to be safe.

+ositi&e security model is better(


28/49


eatures ,'-

#udit o""in".Defend from specific attacks.

Defend from "enera attacks.

Defend from brute;force attacks.


29/49


eatures ,2-

:nforce cient;side vaidation. /:3ceent idea0Introduce per;session restrictions.

Eearn how appication works over time! thencreate a white ist.


30/49


7&asion Issues

Most IDS systems are watchin" for patterns andattackers know that.

+here are many ways to obfuscate attackcontent to prevent detection and sti make it

work.D%+/;;/TA4:7


31/49


7&asion Techni>ues

Mi3ed case6 DeleTe romWhitespace6 D7:7T7 %M

Sef;referencin" fienames6 /etc/(/"asswd

Directory backreferences6 /etc/


32/49


33/49


34/49

$ / 50Web Intrusion Detection with ModSecurity

%SS &s( 3ommercial ,2-

%pen Source6Do not have a the features of commercia offerin"s!

but have the ones that are reay important.

Co nice F4Is yet ; you have to "et your hands dirty!

understand how it works! and know the componentswe.


35/49


. !o"#securit$. !o"Securit$


36/49

* / 50Web Intrusion Detection with ModSecurity

ModSecurity

%pen source6 htt"@//www(modsecurity(or#.F,E and commercia icensin".

*ree and commercia support avaiabe.

L)(( downoads per month in a 2uiet season5

"rowin" steadiy.#pache version /8.3 and '.30.

ava version /Servet *iter0 at some point in thefuture.


37/49

. / 50Web Intrusion Detection with ModSecurity

7mbed Into Web Ser&er

Ine3pensive and easy to use since no chan"esto the network desi"n are re2uired.

7ut works ony for one web server.

Co practica impact on performance.


38/49


A"ache)based Web A""lication irewall

It is a reverse pro3y.:asy to insta and confi"ure.

reated out of defaut and third;party modues6modNpro3y

modNpro3yNhtm

modNsecurity


39/49

/ 50Web Intrusion Detection with ModSecurity

ModSecurity eatures ,'-

#udit o""in".,rovides access to any part of the re2uest

/re2uest body incuded0 and the response.

*e3ibe re"uar e3pression;based rue en"ine.

Rues can be combined.:3terna o"ic can be invoked.

Supports unimited number of different poicies/per virtua host! foder! even a sin"e fie0.


40/49

$0 / 50Web Intrusion Detection with ModSecurity

ModSecurity eatures ,2-

Supports fie upoad interception and rea;timevaidation /e.". anti;virus inte"ration0.

#nti;evasion buit in.

:ncodin" vaidation buit in.

7uffer overfow protection.

# variety of thin"s to do upon attack detection.


41/49

$' / 50Web Intrusion Detection with ModSecurity

Sim"le ule 7


42/49


Another 7


43/49


44/49

$$ / 50Web Intrusion Detection with ModSecurity

4eware of alse +ositi&es9

Some peope do this6Secilterbin/

7ut that prevents this6

htt"@//www(


45/49


%. Application&base"

intrusion "etection


46/49

$* / 50Web Intrusion Detection with ModSecurity

A""lication IDS ,'-

4se the appication as an IDS.#ppications view data in conte3t.

+he coser IDS "ets to appication o"ic = the better.

:ach software error is a potentia attack.

Eo" events to the appication event o".#t the very east use the response codes /500= error!

$0= permission probem0.


47/49

$. / 50Web Intrusion Detection with ModSecurity

A""lication IDS ,2-

In ava! create a security Ser&let ilter.In .Cet! create a Jtt"Module.

In ,,! use auto8"re"endto e3ecute securitycode before the appication be"ins processin".

,,) /and ,,O with the ardened;,, patchappied0 has a specia hook that aows ane3tension to access the parameters before script

is started.


48/49


A""lication IDS ,-

It is easy and fast to chan"e ibraries.*or e3ampe! chan"e the database abstraction

ibrary to detect SE comments and mutipe2ueries in a sin"e ca.


49/49

web intrusion detection with modsecurity

Documents