Search

Web Intrusion Detection

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

4 comments

Comments 1 - 4 of 4 previous next Post a comment

  • + guest045e8b guest045e8b 2 years ago
    For the past 2 weeks I get a messae of a 3rd party trying to change My Google default. I have no idea of changing. Deleting that message does no good.
  • + guest045e8b guest045e8b 2 years ago
    For the past 2 weeks I get a message of a 3rd party trying to change My Google default. I have no idea of changing. Deleting that message does no good.
  • + guest97e9df guest97e9df 3 years ago
    on the idea of application firewalls, PHPIDS is an example. I think it is interesting how IDS is getting more and more specialized.. I wonder what effect IPv6 will have on NIDS in the future. It might force the move to more specialized IDS such as those being developed for web 2.0 applications to prevent against XSS/Injection, and XSRF. Good presentation though, lots of very useful information.

  • + guest851724 guest851724 3 years ago
    good,attractive

Post a comment
Embed Video
Edit your comment Cancel

Notes on slide 1

7 Favorites & 1 Group

Web Intrusion Detection - Presentation Transcript

  1. Web Intrusion Detection with ModSecurity Ivan Ristic <ivanr@webkreator.com>
  2. Aim of This Talk Discuss the state of Web Intrusion Detection Introduce ModSecurity Introduce an open source web application firewall, consisting of Apache and ModSecurity Discuss what can be done to detect and prevent application attacks Web Intrusion Detection with ModSecurity 2 / 50
  3. Who Am I?  Developer / architect / administrator, spent a great deal of time looking at web security issues from different points of view.  Author of ModSecurity, an open source web firewall / IDS.  Author of Apache Security, published by O’Reilly in March 2005.  Founder of Thinking Stone, a web security company. Web Intrusion Detection with ModSecurity 3 / 50
  4. Talk Overview 1. What is the problem? 2. Web intrusion detection approaches 3. Web application firewalls 4. ModSecurity 5. Application-based IDS Web Intrusion Detection with ModSecurity 4 / 50
  5. 1. What Is the Problem? Web Intrusion Detection with ModSecurity 5 / 50
  6. What is the Problem? (1) The world is going Web, companies must open their systems to their customers and partners. Port 80 is used for everything now. Web applications, web services. Classic firewall architectures do not help any more. Web Intrusion Detection with ModSecurity 6 / 50
  7. Firewalls Do Not Work Firewall Application Database Web Web Server Client Server Application HTTP Traffic Port 80 Web Intrusion Detection with ModSecurity 7 / 50
  8. What is the problem? (2) Web development is a mess. Web applications are not secure. Web application security field is getting there, but it’s still young. Web servers do not provide the correct tools (e.g. auditing). The awareness is rising but we have a long way to go. Web Intrusion Detection with ModSecurity 8 / 50
  9. In the Ideal World  Security thought out at the beginning of the project and throughout.  Security requirements exist, security policy is defined.  Threat modelling is used to discover threats.  Developers trained in application security, a security specialist is on board.  Code reviews are performed. Web Intrusion Detection with ModSecurity 9 / 50
  10. Back In the Real World Applications are insecure. Trivial vulnerabilities demonstrate serious lack of understanding of the web programming model. Users want features; security is an afterthought. Anyone with a browser can break in. Web Intrusion Detection with ModSecurity 10 / 50
  11. Where We Stand (1)  Doing it right from the start is better: developers should design and develop secure software.  But: it is not possible nor feasible to achieve 100% security. Even getting close is difficult.  But: you have to use third-party products which are of unknown quality.  But: you have to live with the existing systems. Web Intrusion Detection with ModSecurity 11 / 50
  12. Where We Stand (2) The application security community will work to increase awareness and educate developers. You can do this within your organisation. It will take a while. In the meantime, do anything you can to increase security. Web Intrusion Detection with ModSecurity 12 / 50
  13. What Can You Do? (1) By all means, if you can improve the software – do it! But it is more likely that you will have to attempt to increase security from the outside. It is not easy. You’ll have to put insecure applications into secure environments. Web Intrusion Detection with ModSecurity 13 / 50
  14. What Can You Do? (2) Use threat modelling for deployment to determine the threats. Then correct architectural issues that can be corrected. Use network design tools to increase security by limiting exposure. Web Intrusion Detection with ModSecurity 14 / 50
  15. What Can You Do? (3) At this point many organizations stop, and prefer to keep their fingers crossed: “It will not happen to us”. Intrusions are always possible, it is the probability you need to worry about. It depends on your circumstances – are you a high-profile, high-risk case? Web Intrusion Detection with ModSecurity 15 / 50
  16. What Can You Do? (4) Monitoring: know what happened. Detection: know when you are being attacked. Prevention: stop attacks before they succeed. Assessment: discover problems before the attackers do. Web Intrusion Detection with ModSecurity 16 / 50
  17. 2. Web Intrusion Detection Approaches Web Intrusion Detection with ModSecurity 17 / 50
  18. What is Intrusion Detection? Intrusion Detection is a method of detecting attacks by monitoring traffic or system events. Most people mean N(etwork) IDS when they say IDS. But there is also Host-based IDS, and other hybrid approaches. Web Intrusion Detection with ModSecurity 18 / 50
  19. NIDS Applied to Web Traffic can be overwhelming. Encryption (SSL) makes data invisible. Compression makes data hard to see. Designed to work at the TCP/IP level, not as effective for HTTP. Evasion is a problem. Bottom line: NIDS is not suitable for application- level protection. Web Intrusion Detection with ModSecurity 19 / 50
  20. Evolution of NIDS Deep-inspection Firewalls: vendors are building HTTP extensions and making improvements. Application Firewall (a.k.a Application Gateway) is born. Web Application Firewall (WAF) is a reverse proxy with additional security-related features. Web Intrusion Detection with ModSecurity 20 / 50
  21. Batch Web Intrusion Detection Collect logs at a single location: Manual collection (cron + scp) Syslog Spread toolkit (mod_log_spread) Run a script periodically to check the logs. Prevention not possible. Can go back in time! Web Intrusion Detection with ModSecurity 21 / 50
  22. Log-based IDS in Real-time  Collect logs at a single location using some real time method (syslog, mod_log_spread).  Tail and analyse the central log file in real-time.  SEC (Simple Event Correlator, http://kodu.neti.ee/~risto/sec/) may be of help.  Prevention still not possible. Web Intrusion Detection with ModSecurity 22 / 50
  23. 3. Web Application Firewalls Web Intrusion Detection with ModSecurity 23 / 50
  24. Web Application Firewalls They understand HTTP very well. Can be applied selectively to parts of the traffic. They work after traffic is decrypted, or can otherwise terminate SSL. Prevention is possible. Web Intrusion Detection with ModSecurity 24 / 50
  25. Web IDS Strategies (1) Network-based: Protects any web server Works with many servers at once Web server-based: Closer to the application Limited by the web server API Web Intrusion Detection with ModSecurity 25 / 50
  26. Web IDS Strategies (2) Simple defence: Supports a limited number of pre-defined defences Rule-based: Uses rules to look for known vulnerabilities Or rules to look for classes of attack Rely on rule databases Anomaly-based: Attempts to figure out what normal operation means Web Intrusion Detection with ModSecurity 26 / 50
  27. Web IDS Strategies (3) Negative security model: Deny what might be dangerous. Do you always know what is dangerous? Positive security model: Allow what is known to be safe. Positive security model is better. Web Intrusion Detection with ModSecurity 27 / 50
  28. Features (1) Audit logging. Defend from specific attacks. Defend from general attacks. Defend from brute-force attacks. Web Intrusion Detection with ModSecurity 28 / 50
  29. Features (2) Enforce client-side validation. (Excellent idea!) Introduce per-session restrictions. Learn how application works over time, then create a white list. Web Intrusion Detection with ModSecurity 29 / 50
  30. Evasion Issues Most IDS systems are watching for patterns and attackers know that. There are many ways to obfuscate attack content to prevent detection and still make it work. “DROP/**/TABLE xyz” is a valid SQL query in MySQL. Web Intrusion Detection with ModSecurity 30 / 50
  31. Evasion Techniques  Mixed case: DeleTe From  Whitespace: DELETE FROM  Self-referencing filenames: /etc/./passwd  Directory backreferences: /etc/xyz/../passwd  Double slashes: /etc//passwd  Escaping: /etc/passwd  …and many others Web Intrusion Detection with ModSecurity 31 / 50
  32. Impedance mismatch  Web application firewalls parse HTTP independently from the application – that’s where the protection comes from  But often the way parsing is done is slightly different  Examples:  PHP will ignore spaces at the beginning of variable names  It will also convert all subsequent spaces to underscores  Under some circumstances PHP treats cookies as requests parameters  Such problems make it more difficult for web application firewalls to work out of the box  Customisation is necessary Web Intrusion Detection with ModSecurity 32 / 50
  33. OSS vs. Commercial (1) Commercial: There are many mature offerings. Appliance black-boxes. Can be added to network easily. Very expensive. Web Intrusion Detection with ModSecurity 33 / 50
  34. OSS vs. Commercial (2) Open Source: Do not have all the features of commercial offerings, but have the ones that are really important. No nice GUIs yet - you have to get your hands dirty, understand how it works, and know the components well. Web Intrusion Detection with ModSecurity 34 / 50
  35. 4. ModSecurity 4. Mod_security Web Intrusion Detection with ModSecurity 35 / 50
  36. ModSecurity Open source: http://www.modsecurity.org. GPL and commercial licensing. Free and commercial support available. 3500 downloads per month in a quiet season; growing steadily. Apache version (1.x and 2.x). Java version (Servlet Filter) at some point in the future. Web Intrusion Detection with ModSecurity 36 / 50
  37. Embed Into Web Server Inexpensive and easy to use since no changes to the network design are required. But works only for one web server. No practical impact on performance. Web Intrusion Detection with ModSecurity 37 / 50
  38. Apache-based Web Application Firewall It is a reverse proxy. Easy to install and configure. Created out of default and third-party modules: mod_proxy mod_proxy_html mod_security Web Intrusion Detection with ModSecurity 38 / 50
  39. ModSecurity Features (1) Audit logging. Provides access to any part of the request (request body included) and the response. Flexible regular expression-based rule engine. Rules can be combined. External logic can be invoked. Supports unlimited number of different policies (per virtual host, folder, even a single file). Web Intrusion Detection with ModSecurity 39 / 50
  40. ModSecurity Features (2) Supports file upload interception and real-time validation (e.g. anti-virus integration). Anti-evasion built in. Encoding validation built in. Buffer overflow protection. A variety of things to do upon attack detection. Web Intrusion Detection with ModSecurity 40 / 50
  41. Simple Rule Examples Prevent JavaScript injection: SecFilter "<script" Prevent SQL injection: SecFilter "DELETE[[:space:]]+FROM" Web Intrusion Detection with ModSecurity 41 / 50
  42. Another Example Well-known problem in many PHP applications: register_globals. Prevent with: SecFilterSelective ARG_authorised "!^$" SecFilterSelective COOKIE_authorised "!^$" Web Intrusion Detection with ModSecurity 42 / 50
  43. Advanced Rule Example Prevent the “admin” user from logging from computers other than his workstation: SecFilterSelective ARG_username "^admin$" chain SecFilterSelective REMOTE_ADDR "!^192.168.0.99$" Web Intrusion Detection with ModSecurity 43 / 50
  44. Beware of False Positives! Some people do this: SecFilter bin/ But that prevents this: http://www.xyz.com/cgi-bin/innocent.cgi You do not have to use it in prevention mode! Use detection mode only, until you are sure the rules are correct. Web Intrusion Detection with ModSecurity 44 / 50
  45. 5. Application-based intrusion detection Web Intrusion Detection with ModSecurity 45 / 50
  46. Application IDS (1)  Use the application as an IDS.  Applications view data in context.  The closer IDS gets to application logic – the better.  Each software error is a potential attack.  Log events to the application event log.  At the very least use the response codes (500 – error, 403 – permission problem). Web Intrusion Detection with ModSecurity 46 / 50
  47. Application IDS (2) In Java, create a security Servlet Filter. In .Net, create a HttpModule. In PHP, use auto_prepend to execute security code before the application begins processing. PHP5 (and PHP4 with the Hardened-PHP patch applied) has a special hook that allows an extension to access the parameters before script is started. Web Intrusion Detection with ModSecurity 47 / 50
  48. Application IDS (3) It is easy and fast to change libraries. For example, change the database abstraction library to detect SQL comments and multiple queries in a single call. Web Intrusion Detection with ModSecurity 48 / 50
  49. Questions? Thank you! Download this presentation from http://www.thinkingstone.com/talks/ Web Intrusion Detection with ModSecurity 49 / 50

+ Abhishek SinghAbhishek Singh, 3 years ago

custom

3930 views, 7 favs, 2 embeds more stats

More info about this document

© All Rights Reserved

Go to text version

  • Total Views 3930
    • 3922 on SlideShare
    • 8 from embeds
  • Comments 4
  • Favorites 7
  • Downloads 0
Most viewed embeds
  • 7 views on http://22by7-eureka.blogspot.com
  • 1 views on http://www.arcanesecurity.net

more

All embeds
  • 7 views on http://22by7-eureka.blogspot.com
  • 1 views on http://www.arcanesecurity.net

less

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

Cancel
File a copyright complaint
Having problems? Go to our helpdesk?

Categories

Tags

more

Groups / Events

-->
Search
RSS Feed
What's new?

© 2009 SlideShare Inc. All Rights Reserved