secure web gateway with mod_security and mod_proxy
DESCRIPTION
Secure Web Gateway with mod_security and mod_proxy. Topics that will be covered. Introduction to Web application firewall Web security and mod_proxy Web security and mod_security Configuring a secure web gateway Next steps. Web Application Firewall. Defined as : - PowerPoint PPT PresentationTRANSCRIPT
Secure Web Gateway with Secure Web Gateway with mod_security and mod_security and
mod_proxymod_proxy
Topics that will be coveredTopics that will be covered
Introduction to Web application Introduction to Web application firewallfirewall
Web security and mod_proxyWeb security and mod_proxy Web security and mod_securityWeb security and mod_security Configuring a secure web gatewayConfiguring a secure web gateway Next stepsNext steps
Web Application FirewallWeb Application Firewall
Defined as :Defined as :
"An intermediary device, sitting between a "An intermediary device, sitting between a web-client and a web server, analyzing OSI web-client and a web server, analyzing OSI
Layer-7 Layer-7 messagesmessages for violations in the for violations in the programmed security policy. A web programmed security policy. A web application firewall is used as a security application firewall is used as a security device protecting the web server from device protecting the web server from attack.“attack.“- Web Application Security Consortium Glossary- Web Application Security Consortium Glossary
Web Application FirewallWeb Application Firewall
Most firewalls do not, for various reasons, Most firewalls do not, for various reasons, inspect packets at the application layer. inspect packets at the application layer.
They usually rely on packet header They usually rely on packet header inspection and compare these parameters inspection and compare these parameters with rules bases.with rules bases.
This lack of application layer inspection This lack of application layer inspection means that firewalls cannot provide means that firewalls cannot provide adequate protection for Web Servers. This adequate protection for Web Servers. This makes it necessary to have Web makes it necessary to have Web Application Firewalls.Application Firewalls.
Web Application Firewall (cont’d)Web Application Firewall (cont’d)
Also call “Deep packet inspection firewalls” Also call “Deep packet inspection firewalls” Look for every request and response within Look for every request and response within
the HTTP/HTTPS/SOAP/XML-RPC/Web Service the HTTP/HTTPS/SOAP/XML-RPC/Web Service layerslayers
Web Application Firewalls can be either Web Application Firewalls can be either software, or hardware appliance basedsoftware, or hardware appliance based
Installed in front of a webserver in an effort Installed in front of a webserver in an effort to try and shield it from incoming attacks.to try and shield it from incoming attacks.
Web security and mod_proxyWeb security and mod_proxy
A proxy is a device that stands A proxy is a device that stands between two entities participating in between two entities participating in a conversationa conversation
Mod_proxy is an Apache module that Mod_proxy is an Apache module that is available by defaultis available by default
It protects one or more Web servers It protects one or more Web servers residing on an internal network residing on an internal network providing services to outside clientsproviding services to outside clients
Web security and mod_proxy Web security and mod_proxy (cont’d)(cont’d)
When configured as a reverse proxy When configured as a reverse proxy it becomes a useful tool to help it becomes a useful tool to help prevent security attacksprevent security attacks
Serves as a single point of access Serves as a single point of access thus allowing administrators to apply thus allowing administrators to apply other tools to monitor traffic at one other tools to monitor traffic at one central placecentral place
Web security and mod_proxy Web security and mod_proxy (cont’d)(cont’d)
Usually configured on a separate Usually configured on a separate server (different from the actual web server (different from the actual web server). This is to minimize the risk.server). This is to minimize the risk.
Serves as an additional firewall layer Serves as an additional firewall layer since it ‘hides’ the actual web since it ‘hides’ the actual web servers and the operating systems servers and the operating systems that they are hosted onthat they are hosted on
Web security and mod_proxy Web security and mod_proxy (cont’d)(cont’d)
Apache 2.x is a better choice for a Apache 2.x is a better choice for a reverse proxy because it contains the reverse proxy because it contains the new filtering API, allowing modules to new filtering API, allowing modules to see and interact with the request see and interact with the request body as it comes in and with the body as it comes in and with the response as it comes out. This is response as it comes out. This is important for an application gateway important for an application gateway since it must check the information since it must check the information that passes through before it reaches that passes through before it reaches the recipientthe recipient
Web security and mod_securityWeb security and mod_security
Mod_security is an Apache module Mod_security is an Apache module that detects and prevents intrusion that detects and prevents intrusion
Normally configured such that it is Normally configured such that it is between the client and the web between the client and the web serverserver
Analyses network traffic at the HTTP Analyses network traffic at the HTTP layerlayer
Web security and mod_security Web security and mod_security (cont’d)(cont’d)
Allows the administrator to define Allows the administrator to define custom input and output rules to custom input and output rules to perform specific actionsperform specific actions
Offers forensic logging to record a Offers forensic logging to record a full activity log, including POST-based full activity log, including POST-based attacks.attacks.
Web security and mod_security Web security and mod_security (cont’d)(cont’d)
The sequence of events that happen The sequence of events that happen with mod_security when an HTTP with mod_security when an HTTP request comes is :request comes is :• Parse the requestParse the request• Perform canonization and anti-evasion Perform canonization and anti-evasion
actionsactions• Perform special built-in checksPerform special built-in checks• Execute input rulesExecute input rules
Web security and mod_security Web security and mod_security (cont’d)(cont’d)
Mod_security also monitors the Mod_security also monitors the response :response :• Execute output rulesExecute output rules• Log the complete request consisting of Log the complete request consisting of
input and output headers, and the input and output headers, and the request bodyrequest body
Configuring a secure web gatewayConfiguring a secure web gateway
The reverse proxy would need to be The reverse proxy would need to be configured firstconfigured first
To configure a reverse proxy, add the To configure a reverse proxy, add the following directives in httpd.conf :following directives in httpd.conf :• ServerName example.comServerName example.com• ProxyPass / http://backend.example.com/ProxyPass / http://backend.example.com/• ProxyPassReverse / ProxyPassReverse /
http://backend.example.com/http://backend.example.com/
Configuring a secure web gatewayConfiguring a secure web gateway
The next step is to configure mod_securityThe next step is to configure mod_security• # Enable mod_security# Enable mod_security• SecFilterEngine OnSecFilterEngine On
• # Scan request body# Scan request body• SecFilterScanPOST OnSecFilterScanPOST On
• # Scan response body# Scan response body• SecFilterScanOutput OnSecFilterScanOutput On
• # Check URL encoding# Check URL encoding• SecFilterCheckURLEncoding OnSecFilterCheckURLEncoding On
Configuring a secure web gateway Configuring a secure web gateway
# Only allow certain byte values to be a part of # Only allow certain byte values to be a part of the request.the request.• SecFilterForceByteRange 1 255SecFilterForceByteRange 1 255
• # Audit log logs complete requests. Configured # Audit log logs complete requests. Configured as below it will only log invalid requests for as below it will only log invalid requests for further analysis.further analysis.
• SecAuditEngine RelevantOnlySecAuditEngine RelevantOnly• SecAuditLog logs/audit_logSecAuditLog logs/audit_log
Configuring a secure web gatewayConfiguring a secure web gateway
• # By default, deny requests with status 500# By default, deny requests with status 500• SecFilterDefaultAction "deny,log,status:500"SecFilterDefaultAction "deny,log,status:500"
• # Custom mod_security rules here# Custom mod_security rules here• # ...# ...
Configuring a Secure web gatewayConfiguring a Secure web gateway
These rules will target the common Web application These rules will target the common Web application attacks:attacks:
# Command execution attacks# Command execution attacksSecFilter /etc/passwordSecFilter /etc/passwordSecFilter /bin/lsSecFilter /bin/ls# Directory traversal attacks# Directory traversal attacksSecFilter "\.\./"SecFilter "\.\./"# XSS attacks# XSS attacksSecFilter "<(.|\n)+>"SecFilter "<(.|\n)+>"SecFilter "<[[:space:]]*script"SecFilter "<[[:space:]]*script"
Configuring a secure web gatewayConfiguring a secure web gateway
Rules to prevent SQL injection attacksRules to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into"SecFilter "insert[[:space:]]+into" SecFilter "select.+from"SecFilter "select.+from"
Configuring a secure web gatewayConfiguring a secure web gateway
Stop FormMail from being used to send spamStop FormMail from being used to send spamSome versions of FormMail can be used to send Some versions of FormMail can be used to send
email to arbitrary email addresses. The following email to arbitrary email addresses. The following rule demonstrates how you can have a filter rule demonstrates how you can have a filter applied only to certain locations, in this case just applied only to certain locations, in this case just the FormMail script. The request will be rejected if the FormMail script. The request will be rejected if the email is intended to any address except the the email is intended to any address except the one ending in "@modsecurity.org":one ending in "@modsecurity.org":
<Location /cgi-bin/FormMail><Location /cgi-bin/FormMail> SecFilterSelective "ARG_recipient" "!SecFilterSelective "ARG_recipient" "!
@modsecurity\.org$"@modsecurity\.org$"</Location></Location>
Next stepsNext steps
Prevent cookie poisoning/tampering by Prevent cookie poisoning/tampering by allowing crypto signing of cookiesallowing crypto signing of cookies
Strip comments - mod_security should Strip comments - mod_security should clean up all comments before clean up all comments before sending the response out to the sending the response out to the clientclient
Next stepsNext steps
Another security measure is the Another security measure is the crypto-signing of form hidden fields crypto-signing of form hidden fields and signing the forms itself, to and signing the forms itself, to prevent the values from being prevent the values from being modified in the quantity, names, etc. modified in the quantity, names, etc. of the inputs of the formof the inputs of the form