Your SlideShare is downloading. ×

Web Intrusion Detection

6,063

Published on

Published in: Technology
2 Comments
15 Likes
Statistics
Notes
  • Excellent slide on Web Intrusion Detection.

    Roy Jan
    http://au.freepolyphonicringtones.org/ http://at.freepolyphonicringtones.org/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • hey there,could you please mail this across to me,it will truly assist me for my work.thank you very much.
    Teisha
    http://dashinghealth.com http://healthimplants.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
6,063
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
2
Likes
15
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Web Intrusion Detection with ModSecurity Ivan Ristic <ivanr@webkreator.com>
  • 2. Aim of This Talk Discuss the state of Web Intrusion Detection Introduce ModSecurity Introduce an open source web application firewall, consisting of Apache and ModSecurity Discuss what can be done to detect and prevent application attacks Web Intrusion Detection with ModSecurity 2 / 50
  • 3. Who Am I?  Developer / architect / administrator, spent a great deal of time looking at web security issues from different points of view.  Author of ModSecurity, an open source web firewall / IDS.  Author of Apache Security, published by O’Reilly in March 2005.  Founder of Thinking Stone, a web security company. Web Intrusion Detection with ModSecurity 3 / 50
  • 4. Talk Overview 1. What is the problem? 2. Web intrusion detection approaches 3. Web application firewalls 4. ModSecurity 5. Application-based IDS Web Intrusion Detection with ModSecurity 4 / 50
  • 5. 1. What Is the Problem? Web Intrusion Detection with ModSecurity 5 / 50
  • 6. What is the Problem? (1) The world is going Web, companies must open their systems to their customers and partners. Port 80 is used for everything now. Web applications, web services. Classic firewall architectures do not help any more. Web Intrusion Detection with ModSecurity 6 / 50
  • 7. Firewalls Do Not Work Firewall Application Database Web Web Server Client Server Application HTTP Traffic Port 80 Web Intrusion Detection with ModSecurity 7 / 50
  • 8. What is the problem? (2) Web development is a mess. Web applications are not secure. Web application security field is getting there, but it’s still young. Web servers do not provide the correct tools (e.g. auditing). The awareness is rising but we have a long way to go. Web Intrusion Detection with ModSecurity 8 / 50
  • 9. In the Ideal World  Security thought out at the beginning of the project and throughout.  Security requirements exist, security policy is defined.  Threat modelling is used to discover threats.  Developers trained in application security, a security specialist is on board.  Code reviews are performed. Web Intrusion Detection with ModSecurity 9 / 50
  • 10. Back In the Real World Applications are insecure. Trivial vulnerabilities demonstrate serious lack of understanding of the web programming model. Users want features; security is an afterthought. Anyone with a browser can break in. Web Intrusion Detection with ModSecurity 10 / 50
  • 11. Where We Stand (1)  Doing it right from the start is better: developers should design and develop secure software.  But: it is not possible nor feasible to achieve 100% security. Even getting close is difficult.  But: you have to use third-party products which are of unknown quality.  But: you have to live with the existing systems. Web Intrusion Detection with ModSecurity 11 / 50
  • 12. Where We Stand (2) The application security community will work to increase awareness and educate developers. You can do this within your organisation. It will take a while. In the meantime, do anything you can to increase security. Web Intrusion Detection with ModSecurity 12 / 50
  • 13. What Can You Do? (1) By all means, if you can improve the software – do it! But it is more likely that you will have to attempt to increase security from the outside. It is not easy. You’ll have to put insecure applications into secure environments. Web Intrusion Detection with ModSecurity 13 / 50
  • 14. What Can You Do? (2) Use threat modelling for deployment to determine the threats. Then correct architectural issues that can be corrected. Use network design tools to increase security by limiting exposure. Web Intrusion Detection with ModSecurity 14 / 50
  • 15. What Can You Do? (3) At this point many organizations stop, and prefer to keep their fingers crossed: “It will not happen to us”. Intrusions are always possible, it is the probability you need to worry about. It depends on your circumstances – are you a high-profile, high-risk case? Web Intrusion Detection with ModSecurity 15 / 50
  • 16. What Can You Do? (4) Monitoring: know what happened. Detection: know when you are being attacked. Prevention: stop attacks before they succeed. Assessment: discover problems before the attackers do. Web Intrusion Detection with ModSecurity 16 / 50
  • 17. 2. Web Intrusion Detection Approaches Web Intrusion Detection with ModSecurity 17 / 50
  • 18. What is Intrusion Detection? Intrusion Detection is a method of detecting attacks by monitoring traffic or system events. Most people mean N(etwork) IDS when they say IDS. But there is also Host-based IDS, and other hybrid approaches. Web Intrusion Detection with ModSecurity 18 / 50
  • 19. NIDS Applied to Web Traffic can be overwhelming. Encryption (SSL) makes data invisible. Compression makes data hard to see. Designed to work at the TCP/IP level, not as effective for HTTP. Evasion is a problem. Bottom line: NIDS is not suitable for application- level protection. Web Intrusion Detection with ModSecurity 19 / 50
  • 20. Evolution of NIDS Deep-inspection Firewalls: vendors are building HTTP extensions and making improvements. Application Firewall (a.k.a Application Gateway) is born. Web Application Firewall (WAF) is a reverse proxy with additional security-related features. Web Intrusion Detection with ModSecurity 20 / 50
  • 21. Batch Web Intrusion Detection Collect logs at a single location: Manual collection (cron + scp) Syslog Spread toolkit (mod_log_spread) Run a script periodically to check the logs. Prevention not possible. Can go back in time! Web Intrusion Detection with ModSecurity 21 / 50
  • 22. Log-based IDS in Real-time  Collect logs at a single location using some real time method (syslog, mod_log_spread).  Tail and analyse the central log file in real-time.  SEC (Simple Event Correlator, http://kodu.neti.ee/~risto/sec/) may be of help.  Prevention still not possible. Web Intrusion Detection with ModSecurity 22 / 50
  • 23. 3. Web Application Firewalls Web Intrusion Detection with ModSecurity 23 / 50
  • 24. Web Application Firewalls They understand HTTP very well. Can be applied selectively to parts of the traffic. They work after traffic is decrypted, or can otherwise terminate SSL. Prevention is possible. Web Intrusion Detection with ModSecurity 24 / 50
  • 25. Web IDS Strategies (1) Network-based: Protects any web server Works with many servers at once Web server-based: Closer to the application Limited by the web server API Web Intrusion Detection with ModSecurity 25 / 50
  • 26. Web IDS Strategies (2) Simple defence: Supports a limited number of pre-defined defences Rule-based: Uses rules to look for known vulnerabilities Or rules to look for classes of attack Rely on rule databases Anomaly-based: Attempts to figure out what normal operation means Web Intrusion Detection with ModSecurity 26 / 50
  • 27. Web IDS Strategies (3) Negative security model: Deny what might be dangerous. Do you always know what is dangerous? Positive security model: Allow what is known to be safe. Positive security model is better. Web Intrusion Detection with ModSecurity 27 / 50
  • 28. Features (1) Audit logging. Defend from specific attacks. Defend from general attacks. Defend from brute-force attacks. Web Intrusion Detection with ModSecurity 28 / 50
  • 29. Features (2) Enforce client-side validation. (Excellent idea!) Introduce per-session restrictions. Learn how application works over time, then create a white list. Web Intrusion Detection with ModSecurity 29 / 50
  • 30. Evasion Issues Most IDS systems are watching for patterns and attackers know that. There are many ways to obfuscate attack content to prevent detection and still make it work. “DROP/**/TABLE xyz” is a valid SQL query in MySQL. Web Intrusion Detection with ModSecurity 30 / 50
  • 31. Evasion Techniques  Mixed case: DeleTe From  Whitespace: DELETE FROM  Self-referencing filenames: /etc/./passwd  Directory backreferences: /etc/xyz/../passwd  Double slashes: /etc//passwd  Escaping: /etc/passwd  …and many others Web Intrusion Detection with ModSecurity 31 / 50
  • 32. Impedance mismatch  Web application firewalls parse HTTP independently from the application – that’s where the protection comes from  But often the way parsing is done is slightly different  Examples:  PHP will ignore spaces at the beginning of variable names  It will also convert all subsequent spaces to underscores  Under some circumstances PHP treats cookies as requests parameters  Such problems make it more difficult for web application firewalls to work out of the box  Customisation is necessary Web Intrusion Detection with ModSecurity 32 / 50
  • 33. OSS vs. Commercial (1) Commercial: There are many mature offerings. Appliance black-boxes. Can be added to network easily. Very expensive. Web Intrusion Detection with ModSecurity 33 / 50
  • 34. OSS vs. Commercial (2) Open Source: Do not have all the features of commercial offerings, but have the ones that are really important. No nice GUIs yet - you have to get your hands dirty, understand how it works, and know the components well. Web Intrusion Detection with ModSecurity 34 / 50
  • 35. 4. ModSecurity 4. Mod_security Web Intrusion Detection with ModSecurity 35 / 50
  • 36. ModSecurity Open source: http://www.modsecurity.org. GPL and commercial licensing. Free and commercial support available. 3500 downloads per month in a quiet season; growing steadily. Apache version (1.x and 2.x). Java version (Servlet Filter) at some point in the future. Web Intrusion Detection with ModSecurity 36 / 50
  • 37. Embed Into Web Server Inexpensive and easy to use since no changes to the network design are required. But works only for one web server. No practical impact on performance. Web Intrusion Detection with ModSecurity 37 / 50
  • 38. Apache-based Web Application Firewall It is a reverse proxy. Easy to install and configure. Created out of default and third-party modules: mod_proxy mod_proxy_html mod_security Web Intrusion Detection with ModSecurity 38 / 50
  • 39. ModSecurity Features (1) Audit logging. Provides access to any part of the request (request body included) and the response. Flexible regular expression-based rule engine. Rules can be combined. External logic can be invoked. Supports unlimited number of different policies (per virtual host, folder, even a single file). Web Intrusion Detection with ModSecurity 39 / 50
  • 40. ModSecurity Features (2) Supports file upload interception and real-time validation (e.g. anti-virus integration). Anti-evasion built in. Encoding validation built in. Buffer overflow protection. A variety of things to do upon attack detection. Web Intrusion Detection with ModSecurity 40 / 50
  • 41. Simple Rule Examples Prevent JavaScript injection: SecFilter "<script" Prevent SQL injection: SecFilter "DELETE[[:space:]]+FROM" Web Intrusion Detection with ModSecurity 41 / 50
  • 42. Another Example Well-known problem in many PHP applications: register_globals. Prevent with: SecFilterSelective ARG_authorised "!^$" SecFilterSelective COOKIE_authorised "!^$" Web Intrusion Detection with ModSecurity 42 / 50
  • 43. Advanced Rule Example Prevent the “admin” user from logging from computers other than his workstation: SecFilterSelective ARG_username "^admin$" chain SecFilterSelective REMOTE_ADDR "!^192.168.0.99$" Web Intrusion Detection with ModSecurity 43 / 50
  • 44. Beware of False Positives! Some people do this: SecFilter bin/ But that prevents this: http://www.xyz.com/cgi-bin/innocent.cgi You do not have to use it in prevention mode! Use detection mode only, until you are sure the rules are correct. Web Intrusion Detection with ModSecurity 44 / 50
  • 45. 5. Application-based intrusion detection Web Intrusion Detection with ModSecurity 45 / 50
  • 46. Application IDS (1)  Use the application as an IDS.  Applications view data in context.  The closer IDS gets to application logic – the better.  Each software error is a potential attack.  Log events to the application event log.  At the very least use the response codes (500 – error, 403 – permission problem). Web Intrusion Detection with ModSecurity 46 / 50
  • 47. Application IDS (2) In Java, create a security Servlet Filter. In .Net, create a HttpModule. In PHP, use auto_prepend to execute security code before the application begins processing. PHP5 (and PHP4 with the Hardened-PHP patch applied) has a special hook that allows an extension to access the parameters before script is started. Web Intrusion Detection with ModSecurity 47 / 50
  • 48. Application IDS (3) It is easy and fast to change libraries. For example, change the database abstraction library to detect SQL comments and multiple queries in a single call. Web Intrusion Detection with ModSecurity 48 / 50
  • 49. Questions? Thank you! Download this presentation from http://www.thinkingstone.com/talks/ Web Intrusion Detection with ModSecurity 49 / 50

×