Web Intrusion Detection
  with ModSecurity

  Ivan Ristic <ivanr@webkreator.com>
Aim of This Talk

   Discuss the state of Web Intrusion Detection
   Introduce ModSecurity
   Introduce an open source ...
Who Am I?

    Developer / architect / administrator, spent a great deal
     of time looking at web security issues from...
Talk Overview

   1.     What is the problem?
   2.     Web intrusion detection approaches
   3.     Web application firew...
1. What Is the
                        Problem?


Web Intrusion Detection with ModSecurity   5 / 50
What is the Problem? (1)

   The world is going Web, companies must open
    their systems to their customers and partner...
Firewalls Do Not Work

                                           Firewall




                                           ...
What is the problem? (2)

   Web development is a mess.
   Web applications are not secure.
   Web application security...
In the Ideal World

    Security thought out at the beginning of the project
     and throughout.
    Security requireme...
Back In the Real World

   Applications are insecure.
   Trivial vulnerabilities demonstrate serious lack of
    underst...
Where We Stand (1)

    Doing it right from the start is better: developers should
     design and develop secure softwar...
Where We Stand (2)

   The application security community will work to
    increase awareness and educate developers.
   ...
What Can You Do? (1)

   By all means, if you can improve the software –
    do it!
   But it is more likely that you wi...
What Can You Do? (2)

   Use threat modelling for deployment to
    determine the threats.
   Then correct architectural...
What Can You Do? (3)

   At this point many organizations stop, and prefer
    to keep their fingers crossed: “It will no...
What Can You Do? (4)

   Monitoring: know what happened.
   Detection: know when you are being attacked.
   Prevention:...
2. Web Intrusion
        Detection Approaches


Web Intrusion Detection with ModSecurity   17 / 50
What is Intrusion Detection?

   Intrusion Detection is a method of detecting
    attacks by monitoring traffic or system...
NIDS Applied to Web

   Traffic can be overwhelming.
   Encryption (SSL) makes data invisible.
   Compression makes dat...
Evolution of NIDS

   Deep-inspection Firewalls: vendors are building
    HTTP extensions and making improvements.
   Ap...
Batch Web Intrusion Detection

   Collect logs at a single location:
        Manual collection (cron + scp)
        Sys...
Log-based IDS in Real-time

    Collect logs at a single location using some real time
     method (syslog, mod_log_sprea...
3. Web Application
                  Firewalls


Web Intrusion Detection with ModSecurity   23 / 50
Web Application Firewalls

   They understand HTTP very well.
   Can be applied selectively to parts of the traffic.
   ...
Web IDS Strategies (1)

   Network-based:
        Protects any web server
        Works with many servers at once
   W...
Web IDS Strategies (2)

   Simple defence:
        Supports a limited number of pre-defined defences
   Rule-based:
   ...
Web IDS Strategies (3)

   Negative security model:
        Deny what might be dangerous.
        Do you always know wh...
Features (1)

   Audit logging.
   Defend from specific attacks.
   Defend from general attacks.
   Defend from brute-...
Features (2)

   Enforce client-side validation. (Excellent idea!)
   Introduce per-session restrictions.
   Learn how ...
Evasion Issues

   Most IDS systems are watching for patterns and
    attackers know that.
   There are many ways to obf...
Evasion Techniques

    Mixed case: DeleTe From
    Whitespace: DELETE        FROM
    Self-referencing filenames: /etc...
Impedance mismatch

    Web application firewalls parse HTTP independently
     from the application – that’s where the p...
OSS vs. Commercial (1)

   Commercial:
        There are many mature offerings.
        Appliance black-boxes.
        ...
OSS vs. Commercial (2)

   Open Source:
        Do not have all the features of commercial offerings,
         but have ...
4. ModSecurity
                  4. Mod_security



Web Intrusion Detection with ModSecurity   35 / 50
ModSecurity

   Open source: http://www.modsecurity.org.
   GPL and commercial licensing.
   Free and commercial suppor...
Embed Into Web Server

   Inexpensive and easy to use since no changes
    to the network design are required.
   But wo...
Apache-based Web Application Firewall

   It is a reverse proxy.
   Easy to install and configure.
   Created out of de...
ModSecurity Features (1)

   Audit logging.
   Provides access to any part of the request
    (request body included) an...
ModSecurity Features (2)

   Supports file upload interception and real-time
    validation (e.g. anti-virus integration)...
Simple Rule Examples

   Prevent JavaScript injection:
        SecFilter "<script"

   Prevent SQL injection:
        Se...
Another Example

   Well-known problem in many PHP applications:
    register_globals.
   Prevent with:
        SecFilte...
Advanced Rule Example

   Prevent the “admin” user from logging from
    computers other than his workstation:

        S...
Beware of False Positives!

   Some people do this:
        SecFilter bin/
   But that prevents this:
        http://www...
5. Application-based
            intrusion detection


Web Intrusion Detection with ModSecurity   45 / 50
Application IDS (1)

    Use the application as an IDS.
    Applications view data in context.
    The closer IDS gets ...
Application IDS (2)

   In Java, create a security Servlet Filter.
   In .Net, create a HttpModule.
   In PHP, use auto...
Application IDS (3)

   It is easy and fast to change libraries.
   For example, change the database abstraction
    lib...
Questions?

                                  Thank you!
               Download this presentation from
           http://...
Upcoming SlideShare
Loading in …5
×

Web Intrusion Detection

6,382 views
6,283 views

Published on

Published in: Technology
2 Comments
16 Likes
Statistics
Notes
  • Excellent slide on Web Intrusion Detection.

    Roy Jan
    http://au.freepolyphonicringtones.org/ http://at.freepolyphonicringtones.org/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • hey there,could you please mail this across to me,it will truly assist me for my work.thank you very much.
    Teisha
    http://dashinghealth.com http://healthimplants.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
6,382
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
2
Likes
16
Embeds 0
No embeds

No notes for slide

Web Intrusion Detection

  1. 1. Web Intrusion Detection with ModSecurity Ivan Ristic <ivanr@webkreator.com>
  2. 2. Aim of This Talk Discuss the state of Web Intrusion Detection Introduce ModSecurity Introduce an open source web application firewall, consisting of Apache and ModSecurity Discuss what can be done to detect and prevent application attacks Web Intrusion Detection with ModSecurity 2 / 50
  3. 3. Who Am I?  Developer / architect / administrator, spent a great deal of time looking at web security issues from different points of view.  Author of ModSecurity, an open source web firewall / IDS.  Author of Apache Security, published by O’Reilly in March 2005.  Founder of Thinking Stone, a web security company. Web Intrusion Detection with ModSecurity 3 / 50
  4. 4. Talk Overview 1. What is the problem? 2. Web intrusion detection approaches 3. Web application firewalls 4. ModSecurity 5. Application-based IDS Web Intrusion Detection with ModSecurity 4 / 50
  5. 5. 1. What Is the Problem? Web Intrusion Detection with ModSecurity 5 / 50
  6. 6. What is the Problem? (1) The world is going Web, companies must open their systems to their customers and partners. Port 80 is used for everything now. Web applications, web services. Classic firewall architectures do not help any more. Web Intrusion Detection with ModSecurity 6 / 50
  7. 7. Firewalls Do Not Work Firewall Application Database Web Web Server Client Server Application HTTP Traffic Port 80 Web Intrusion Detection with ModSecurity 7 / 50
  8. 8. What is the problem? (2) Web development is a mess. Web applications are not secure. Web application security field is getting there, but it’s still young. Web servers do not provide the correct tools (e.g. auditing). The awareness is rising but we have a long way to go. Web Intrusion Detection with ModSecurity 8 / 50
  9. 9. In the Ideal World  Security thought out at the beginning of the project and throughout.  Security requirements exist, security policy is defined.  Threat modelling is used to discover threats.  Developers trained in application security, a security specialist is on board.  Code reviews are performed. Web Intrusion Detection with ModSecurity 9 / 50
  10. 10. Back In the Real World Applications are insecure. Trivial vulnerabilities demonstrate serious lack of understanding of the web programming model. Users want features; security is an afterthought. Anyone with a browser can break in. Web Intrusion Detection with ModSecurity 10 / 50
  11. 11. Where We Stand (1)  Doing it right from the start is better: developers should design and develop secure software.  But: it is not possible nor feasible to achieve 100% security. Even getting close is difficult.  But: you have to use third-party products which are of unknown quality.  But: you have to live with the existing systems. Web Intrusion Detection with ModSecurity 11 / 50
  12. 12. Where We Stand (2) The application security community will work to increase awareness and educate developers. You can do this within your organisation. It will take a while. In the meantime, do anything you can to increase security. Web Intrusion Detection with ModSecurity 12 / 50
  13. 13. What Can You Do? (1) By all means, if you can improve the software – do it! But it is more likely that you will have to attempt to increase security from the outside. It is not easy. You’ll have to put insecure applications into secure environments. Web Intrusion Detection with ModSecurity 13 / 50
  14. 14. What Can You Do? (2) Use threat modelling for deployment to determine the threats. Then correct architectural issues that can be corrected. Use network design tools to increase security by limiting exposure. Web Intrusion Detection with ModSecurity 14 / 50
  15. 15. What Can You Do? (3) At this point many organizations stop, and prefer to keep their fingers crossed: “It will not happen to us”. Intrusions are always possible, it is the probability you need to worry about. It depends on your circumstances – are you a high-profile, high-risk case? Web Intrusion Detection with ModSecurity 15 / 50
  16. 16. What Can You Do? (4) Monitoring: know what happened. Detection: know when you are being attacked. Prevention: stop attacks before they succeed. Assessment: discover problems before the attackers do. Web Intrusion Detection with ModSecurity 16 / 50
  17. 17. 2. Web Intrusion Detection Approaches Web Intrusion Detection with ModSecurity 17 / 50
  18. 18. What is Intrusion Detection? Intrusion Detection is a method of detecting attacks by monitoring traffic or system events. Most people mean N(etwork) IDS when they say IDS. But there is also Host-based IDS, and other hybrid approaches. Web Intrusion Detection with ModSecurity 18 / 50
  19. 19. NIDS Applied to Web Traffic can be overwhelming. Encryption (SSL) makes data invisible. Compression makes data hard to see. Designed to work at the TCP/IP level, not as effective for HTTP. Evasion is a problem. Bottom line: NIDS is not suitable for application- level protection. Web Intrusion Detection with ModSecurity 19 / 50
  20. 20. Evolution of NIDS Deep-inspection Firewalls: vendors are building HTTP extensions and making improvements. Application Firewall (a.k.a Application Gateway) is born. Web Application Firewall (WAF) is a reverse proxy with additional security-related features. Web Intrusion Detection with ModSecurity 20 / 50
  21. 21. Batch Web Intrusion Detection Collect logs at a single location: Manual collection (cron + scp) Syslog Spread toolkit (mod_log_spread) Run a script periodically to check the logs. Prevention not possible. Can go back in time! Web Intrusion Detection with ModSecurity 21 / 50
  22. 22. Log-based IDS in Real-time  Collect logs at a single location using some real time method (syslog, mod_log_spread).  Tail and analyse the central log file in real-time.  SEC (Simple Event Correlator, http://kodu.neti.ee/~risto/sec/) may be of help.  Prevention still not possible. Web Intrusion Detection with ModSecurity 22 / 50
  23. 23. 3. Web Application Firewalls Web Intrusion Detection with ModSecurity 23 / 50
  24. 24. Web Application Firewalls They understand HTTP very well. Can be applied selectively to parts of the traffic. They work after traffic is decrypted, or can otherwise terminate SSL. Prevention is possible. Web Intrusion Detection with ModSecurity 24 / 50
  25. 25. Web IDS Strategies (1) Network-based: Protects any web server Works with many servers at once Web server-based: Closer to the application Limited by the web server API Web Intrusion Detection with ModSecurity 25 / 50
  26. 26. Web IDS Strategies (2) Simple defence: Supports a limited number of pre-defined defences Rule-based: Uses rules to look for known vulnerabilities Or rules to look for classes of attack Rely on rule databases Anomaly-based: Attempts to figure out what normal operation means Web Intrusion Detection with ModSecurity 26 / 50
  27. 27. Web IDS Strategies (3) Negative security model: Deny what might be dangerous. Do you always know what is dangerous? Positive security model: Allow what is known to be safe. Positive security model is better. Web Intrusion Detection with ModSecurity 27 / 50
  28. 28. Features (1) Audit logging. Defend from specific attacks. Defend from general attacks. Defend from brute-force attacks. Web Intrusion Detection with ModSecurity 28 / 50
  29. 29. Features (2) Enforce client-side validation. (Excellent idea!) Introduce per-session restrictions. Learn how application works over time, then create a white list. Web Intrusion Detection with ModSecurity 29 / 50
  30. 30. Evasion Issues Most IDS systems are watching for patterns and attackers know that. There are many ways to obfuscate attack content to prevent detection and still make it work. “DROP/**/TABLE xyz” is a valid SQL query in MySQL. Web Intrusion Detection with ModSecurity 30 / 50
  31. 31. Evasion Techniques  Mixed case: DeleTe From  Whitespace: DELETE FROM  Self-referencing filenames: /etc/./passwd  Directory backreferences: /etc/xyz/../passwd  Double slashes: /etc//passwd  Escaping: /etc/passwd  …and many others Web Intrusion Detection with ModSecurity 31 / 50
  32. 32. Impedance mismatch  Web application firewalls parse HTTP independently from the application – that’s where the protection comes from  But often the way parsing is done is slightly different  Examples:  PHP will ignore spaces at the beginning of variable names  It will also convert all subsequent spaces to underscores  Under some circumstances PHP treats cookies as requests parameters  Such problems make it more difficult for web application firewalls to work out of the box  Customisation is necessary Web Intrusion Detection with ModSecurity 32 / 50
  33. 33. OSS vs. Commercial (1) Commercial: There are many mature offerings. Appliance black-boxes. Can be added to network easily. Very expensive. Web Intrusion Detection with ModSecurity 33 / 50
  34. 34. OSS vs. Commercial (2) Open Source: Do not have all the features of commercial offerings, but have the ones that are really important. No nice GUIs yet - you have to get your hands dirty, understand how it works, and know the components well. Web Intrusion Detection with ModSecurity 34 / 50
  35. 35. 4. ModSecurity 4. Mod_security Web Intrusion Detection with ModSecurity 35 / 50
  36. 36. ModSecurity Open source: http://www.modsecurity.org. GPL and commercial licensing. Free and commercial support available. 3500 downloads per month in a quiet season; growing steadily. Apache version (1.x and 2.x). Java version (Servlet Filter) at some point in the future. Web Intrusion Detection with ModSecurity 36 / 50
  37. 37. Embed Into Web Server Inexpensive and easy to use since no changes to the network design are required. But works only for one web server. No practical impact on performance. Web Intrusion Detection with ModSecurity 37 / 50
  38. 38. Apache-based Web Application Firewall It is a reverse proxy. Easy to install and configure. Created out of default and third-party modules: mod_proxy mod_proxy_html mod_security Web Intrusion Detection with ModSecurity 38 / 50
  39. 39. ModSecurity Features (1) Audit logging. Provides access to any part of the request (request body included) and the response. Flexible regular expression-based rule engine. Rules can be combined. External logic can be invoked. Supports unlimited number of different policies (per virtual host, folder, even a single file). Web Intrusion Detection with ModSecurity 39 / 50
  40. 40. ModSecurity Features (2) Supports file upload interception and real-time validation (e.g. anti-virus integration). Anti-evasion built in. Encoding validation built in. Buffer overflow protection. A variety of things to do upon attack detection. Web Intrusion Detection with ModSecurity 40 / 50
  41. 41. Simple Rule Examples Prevent JavaScript injection: SecFilter "<script" Prevent SQL injection: SecFilter "DELETE[[:space:]]+FROM" Web Intrusion Detection with ModSecurity 41 / 50
  42. 42. Another Example Well-known problem in many PHP applications: register_globals. Prevent with: SecFilterSelective ARG_authorised "!^$" SecFilterSelective COOKIE_authorised "!^$" Web Intrusion Detection with ModSecurity 42 / 50
  43. 43. Advanced Rule Example Prevent the “admin” user from logging from computers other than his workstation: SecFilterSelective ARG_username "^admin$" chain SecFilterSelective REMOTE_ADDR "!^192.168.0.99$" Web Intrusion Detection with ModSecurity 43 / 50
  44. 44. Beware of False Positives! Some people do this: SecFilter bin/ But that prevents this: http://www.xyz.com/cgi-bin/innocent.cgi You do not have to use it in prevention mode! Use detection mode only, until you are sure the rules are correct. Web Intrusion Detection with ModSecurity 44 / 50
  45. 45. 5. Application-based intrusion detection Web Intrusion Detection with ModSecurity 45 / 50
  46. 46. Application IDS (1)  Use the application as an IDS.  Applications view data in context.  The closer IDS gets to application logic – the better.  Each software error is a potential attack.  Log events to the application event log.  At the very least use the response codes (500 – error, 403 – permission problem). Web Intrusion Detection with ModSecurity 46 / 50
  47. 47. Application IDS (2) In Java, create a security Servlet Filter. In .Net, create a HttpModule. In PHP, use auto_prepend to execute security code before the application begins processing. PHP5 (and PHP4 with the Hardened-PHP patch applied) has a special hook that allows an extension to access the parameters before script is started. Web Intrusion Detection with ModSecurity 47 / 50
  48. 48. Application IDS (3) It is easy and fast to change libraries. For example, change the database abstraction library to detect SQL comments and multiple queries in a single call. Web Intrusion Detection with ModSecurity 48 / 50
  49. 49. Questions? Thank you! Download this presentation from http://www.thinkingstone.com/talks/ Web Intrusion Detection with ModSecurity 49 / 50

×