Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mod Security (Is it worth it?) By Rich Helton. Abstract (see my paper for sources)  Based on statistics, Apache is the most used web server being used.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Mod Security (Is it worth it?) By Rich Helton. Abstract (see my paper for sources)  Based on statistics, Apache is the most used web server being used."— Presentation transcript:

1 Mod Security (Is it worth it?) By Rich Helton

2 Abstract (see my paper for sources)  Based on statistics, Apache is the most used web server being used today.  Based on statistics, the web site is the most likely entry point for a hacker to enter.  Re-writing code does not always block vulnerabilities.  Blocking attacks need to become an interactive process.  An network IDS/IPS does not adequately protect websites.  By knowing a tool, like ModSecurity, well, a person not only just logs and blocks attacks from the Internet but can modify the behavior of a website.

3 Web Application Firewalls (WAF)  WAFs are filters that sit in front of the Web Application.  Depending on their configuration, they will deny, or log, validated information from the Internet into the Application.  They are a good source in auditing the information that is hitting the Web site and the scans that are constantly taking place.

4 WAF  ModSecurity is the most popular Open Source WAF today, http://www.modsecurity.org/. http://www.modsecurity.org/  A WAF will not protect common sense mistakes in architecture and code, http://www.owasp.org/index.php/Category:OWASP_Be st_Practices:_Use_of_Web_Application_Firewalls http://www.owasp.org/index.php/Category:OWASP_Be st_Practices:_Use_of_Web_Application_Firewalls  ModSecurity, works very similar in ways to an open source Intrusion Detection System like Snort, and can even convert the rules from ModSecurity to Snort, http://blog.modsecurity.org/2003/10/converted-snort.html http://blog.modsecurity.org/2003/10/converted-snort.html

5 WAF  Snort is network specific.  ModSecurity is a plugin to an Apache website.  ModSecurity can apply different rules per Apache instance, being website specific.  Apache has plugins to most Application servers, and can proxy all web and application servers.  Apache/ModSecurity can even proxy in front of Microsoft’s IIS Web Server.

6 Apache mod_security (There are many rules from experts)  The mod_security module information can be found at http://www.modsecurity.org/ http://www.modsecurity.org/  Load the mod_security and unique id modules (this example is XP) in conf/httpd.conf:  LoadModule security2_module modules/mod_security2.so  LoadModule unique_id_module modules/mod_unique_id.so  Add the base configuration and some of the base rules:  Include conf/mod_security.conf  Include conf/base_rules/modsecurity_crs_41_xss_attacks.conf  Include conf/base_rules/modsecurity_crs_23_request_limits.conf  Include conf/base_rules/modsecurity_crs_35_bad_robots.conf  Include conf/base_rules/modsecurity_crs_40_generic_attacks.conf  Include conf/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

7 Here is an Apache server configured by ModSecurity to look like IIS 6.0

8 Cons  WAFs are limited by their rulesets.  WAF rules require maintaining as vulnerabilities and the website changes.  WAFs have broken websites because the website does not follow standards.  When adding rules, a strong understanding of the website, its code and pages, and its environment is required.  WAFs are not a cure all, and requires code changes as well to maintain the websites, such as upgrading SQL7 to SQL 2005.

9 Pros  Installing a WAF is usually quicker than rewriting a website.  WAF rules are extensive, usually free, and built by industry experts.  WAFs can detect vulnerabilities and attacks that web scanners do not always detect.  A WAF can change the behavior of a website that website code cannot change.

Download ppt "Mod Security (Is it worth it?) By Rich Helton. Abstract (see my paper for sources)  Based on statistics, Apache is the most used web server being used."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
SmartSoft Network Solutions, Inc.  Project Presentation  21/12/2005.

SmartSoft Network Solutions, Inc.  Project Presentation  21/12/2005.
Network Security and Audits LITN Fall Conference 2006 Presented by Katie Givens Mosaic.

Network Security and Audits LITN Fall Conference 2006 Presented by Katie Givens Mosaic.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Firewall Configuration Strategies

Firewall Configuration Strategies
Petros Lam VP, Sales & Marketing The Hong Kong School Net Ltd.

Petros Lam VP, Sales & Marketing The Hong Kong School Net Ltd.
1. Prelude Diebold’s electronic voting system source code was discovered and subsequently leaked due to it being on a Diebold web server. Although it.

1. Prelude Diebold’s electronic voting system source code was discovered and subsequently leaked due to it being on a Diebold web server. Although it.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
1 Project Part II Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.

1 Project Part II Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.
Uniqueness of user names is enforced Customer information logged to database Require contact information as well as email address Email address will.

Uniqueness of user names is enforced Customer information logged to database Require contact information as well as address address will.
Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.

Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Department Of Computer Engineering

Department Of Computer Engineering
Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060

Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060
Appliance Firewalls A Technology Review By: Brent Huston T h e B l a c k H a t B r i e f i n g s July 7-8, 1999 Las Vegas.

Appliance Firewalls A Technology Review By: Brent Huston T h e B l a c k H a t B r i e f i n g s July 7-8, 1999 Las Vegas.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Campus Firewalling Dearbhla O’Reilly Network Manager Dublin Institute of Technology.

Campus Firewalling Dearbhla O’Reilly Network Manager Dublin Institute of Technology.
Brad Baker CS526 May 7 th, 2008 5/7/2008 1. 1. Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Similar presentations

Ads by Google