WebApp Sec mailing list archives
RE: Apache mode_security
From: "Ofer Shezaf" <Ofer.Shezaf () breach com>
Date: Wed, 30 Nov 2005 10:35:59 -0500
-----Original Message----- From: Ivan Ristic [mailto:ivan.ristic () gmail com] Sent: Thursday, November 24, 2005 2:14 PM
...
Neither approach is good enough in real-life, when used on its own. (Although there may be specific cases where they can work rather well.) As you say, negative rules can often be bypassed. It is also difficult to enumerate all the possible attacks. In theory, positive security model is much safer, but there is a problem of how to create a good-enough model. This is especially a problem if the application you are trying to protect is constantly changing. I believe the solution is somewhere in the middle.
I strongly agree with Ivan. Application protection is complex since applications are complex and much more dynamic than networks. Some on this list would even say that no real time security control can effectively block application layer attacks. I thing that it is achievable (well I make application firewalls for a living....), but it does require sophisticated detection, that mash together both negative and positive methods. Signature detection has to go a step further than what I usually see out there. Many of the signatures presented in articles closely detect published attack vectors ('1=1', 'union select' and the like). Application layer signatures must try to detect generic language injection. I personally dig through manuals of different languages (not just SQL) to try to predict what keywords / phrases might be used as part of attacks. Signatures are also good mostly for injection, but fail miserably on other attack types. On the positive security side, static rules (such as RFC compliance), behavioral analysis of traffic and building policy based on outbound traffic should all be used; each one has deficiencies, but together they can provide a lot: behavioral anomalies often do not equal attacks, and analyzing outbound traffic is limited by the wide use of client side code. On top of that you need to correlate between the different events, both for a single request and over time, as many of the detection methods detect anomalies rather than attacks. Only by aggregating the anomalies one can detect attacks. ~ Ofer Ofer Shezaf CTO, Breach Security Phone (US): +1 (760) 268.1924 ext. 702 Phone (Israel): +972 (9) 956.0036 ext.212 Cell: +972 (54) 443.1119 ofers () breach com http://www.breach.com
Current thread:
- Apache mode_security Serg Belokamen (Nov 16)
- Re: Apache mode_security Ivan Ristic (Nov 16)
- Re: Apache mode_security Stefano Di Paola (Nov 20)
- Re: Apache mode_security Ivan Ristic (Nov 25)
- Re: Apache mode_security Stefano Di Paola (Nov 26)
- Re: Apache mode_security Ivan Ristic (Nov 28)
- Re: Apache mode_security Stefano Di Paola (Dec 04)
- Re: Apache mode_security Stefano Di Paola (Nov 20)
- Re: Apache mode_security Ivan Ristic (Nov 16)
- <Possible follow-ups>
- RE: Apache mode_security Erez Schwarz (Nov 16)
- RE: Apache mode_security Serg B. (Nov 16)
- Re: Apache mode_security K K Mookhey (Nov 29)
- RE: Apache mode_security Serg B. (Nov 16)
- RE: Apache mode_security Ofer Shezaf (Nov 30)