Page 20 - info_oct_2021_draft13
P. 20

In Focus



          storage mechanism enables users to track   Web application hardening   proxy web server and add ModSecurity to it, we
          system elements over time and perform event   One of important uses for ModSecurity   get a “proper” network web application firewall,
          correlation.  Users can block reliably, if they so   is attack surface reduction, in which we can   which we can use to protect any number of
          wish, because ModSecurity uses full request and   selectively narrow down the HTTP features we’re   web servers on the same network. This mode
          response buffering.                willing to accept (e.g., request methods, request   gives  us  complete  isolation  from  the  systems
                                             headers, content types, etc.). ModSecurity can   (e.g. web servers/applications and databases)
                                             assist users in enforcing many similar restrictions,   we are protecting. On the performance front, a
                                                                                 standalone ModSecurity installation will have
          Virtual patching                   either directly or through collaboration with other   resources dedicated to it, which means that we
            Virtual patching is a concept that addresses   web server modules. For example, it’s possible to   will be able to do more (i.e., have more complex
          vulnerability mitigation in a separate layer, in   fix many session management issues, as well as   rules). The main disadvantage of this approach
          which you get to fix problems in applications   cross site request forgery vulnerabilities.  is the new point of failure, which will need to be
          without having to touch the applications                               addressed with a high-availability setup of two or
          themselves. Virtual patching is the quick   Deployment Options         more reverse proxies.
          development and short-term implementation
          of a security policy meant to prevent an exploit   ModSecurity  supports  two  deployment
          from occurring. The resulting impact of virtual   options: embedded and reverse proxy deployment.   Transaction Lifecycle
          patch is that, while the actual source code of   Users can pick the most appropriate option based   In ModSecurity, every transaction goes
          the application itself has not been modified,   on their goals, requirements, and situation.   through five steps, or phases. In each of the
                                             There are advantages and disadvantages of both
          the exploitation attempt does not succeed.   options:                  phases, ModSecurity will do some work at the
          ModSecurity excels at virtual patching because of                      beginning  (e.g.,  parse data  that  has  become
          its reliable blocking capabilities and the flexible                    available), invoke the rules specified to work in
          rule language that can be adapted to any need.   Embedded              that phase, and perhaps do a thing or two after
          Virtual patching is, by far, the activity ModSecurity   The embedded option is a great choice for   the phase rules have finished.
          offers that requires the least investment, is the   those who already have their architecture laid
          easiest to perform, and that most organizations   out and don’t want to change it. Embedded
          can benefit from straight away.    deployment is also the preferred option if   Request headers
                                             we  need to  protect  hundreds  of web  servers.   The request headers phase is the first entry
                                             In such situations, it is impractical to build a
          Full HTTP traffic logging                                              point for ModSecurity. The principal purpose
            Web servers traditionally do very little when   separate proxy-based security layer. Embedded   of this phase is to allow rule writers to assess
          it comes to logging for security purposes. They   ModSecurity not only does not introduce new   a request before the costly request body
                                             points of failure, but also it scales seamlessly
          log very little by default, and even with a lot of   as the underlying web infrastructure scales. The   processing is undertaken. Similarly, there is often
          tweaking we can’t get all the data that we need.   main challenge of embedded deployment is that   a need to influence how ModSecurity will process
          ModSecurity gives us the ability to log everything,   server resources are shared between the web   a request body, and this phase is the place to do
          including raw transaction data, which is essential   server and ModSecurity.  it. For example, ModSecurity will not parse an XML
          for forensics. In addition, we get to choose                           request body by default, but we can instruct it do
          which transactions are logged, which parts of                          so by placing the appropriate rules into phase 1.
          a transaction are logged, and which parts are   Reverse proxy
          sanitized. As a bonus, this type of detailed logging   Reverse proxies are effectively HTTP routers,
          is also helpful for application troubleshooting—   designed to stand between web servers and   Request body
          not just security.                 their clients. When we install a dedicated reverse   The request body phase is the main request




























            ModSecurity



                           October 2021
          20  informatics.nic.in  October 2021
          20 informatics.nic.in
   15   16   17   18   19   20   21   22   23   24   25