ModSecurity Breach

Breach Security

Supporting the Open Source Community

Breach Security is committed to contributing to the development of the ModSecurity open source community and this is evidenced by new releases of ModSecurity, the Core Rules, as well as, offering an Enhanced Rule set and commercial support packages. Breach Security has also incorporated ModSecurity technology into its suite of web application security solutions - the ModSecurity Pro appliance and the ModSecurity Management Appliance (MMA).

Since the acquisition, Breach Security has provided the following products and offerings based on ModSecurity technology:

  • ModSecurity 2.x, 2.1.x and now 2.5 – many significant upgrades releases to ModSecurity providing significantly enhanced analysis and performance updates.
  • ModSecurity Appliance - the current ModSecurity Appliance (Transparent Proxy) – is an inexpensive plug-and-play web application firewall appliance.
  • ModSecurity Management Appliance – a web-based console providing event consolidation for multiple ModSecurity sensors.
  • Enhanced ModSecurity Rule set – optimized packages of ModSecurity rules for protecting commercial web applications with known vulnerabilities and ensuring web applications are compliant with specific regulations, such as PCI.
  • Support packages - for open source ModSecurity users. training for ModSecurity deployments.
  • Training packages - both on site and on line ModSecurity Training offerings.

Background

There have been many positive changes resulting from the acquisition. Development has accelerated as Breach has hired a full time developer who is assigned to working on the code full time, and that's in addition to having Ivan spend more time and energy on development. The documentation and community support has been improved too, as Breach hired a ModSecurity Community Manager who is dedicated full-time to growing and nurturing the community. The latter is very significant as the interaction with the community is the main opportunity for further expansion. Web application security is complicated due to the dynamic environment and the web application firewalls protecting those applications must manage a changing environment. ModSecurity can be difficult to use for some because there are no wizards and no implicit protection facilities. Users must have a high level of expertise. While this works well for the professionals, ModSecurity should be an equally suitable solution for people who are not web application security gurus but have an equally important need to protect themselves, while minimising their time investment in the process.

Many ModSecurity users have also benefited from the commercial offerings. They have the option to purchase a commercially supported version of ModSecurity from an organisation with broad reach. That, and the range of appliances that have been released, have ensured that users have a very wide choice of deployment options.

Our current appliance is *very* affordable. Breach Security wants to continue to pursue the main goal of the ModSecurity project, and that is to make web application firewalls accessible to everyone.

ModSecurity Pro Appliance

Based on the world’s most deployed web application firewall with over 15,000 users, the ModSecurity Pro appliance offers essential web application security at an affordable price. It includes the mature, proven ModSecurity web application firewall on a hardened, Linux-based security appliance. The appliance not only defeats a wide range of application-layer attacks, but also helps ensure compliance with government and industry standards and regulations, and provides real-time event analysis.

Key Features

Protection for Multiple Web Servers

The appliance can be deployed transparently in front of multiple web servers to insulate web applications from the vulnerabilities inherent in web server technologies. In this deployment mode, the appliance monitors application traffic, performs a wide set of checks for web application attacks, and reacts in real time.

Transparent Deployment Mode

The appliance can be easily deployed inline in a transparent bridge mode, which has many benefits including:

  • No network reconfiguration is required to either redirect traffic to the appliance.
  • The source IP address information of clients is maintained which preserves Access Control Lists (ACLs) and logging analytics.
  • Traffic for protected sites is intercepted and analyzed for malicious content.

Out-of-the-Box Security

The ModSecurity Pro’s pre-packaged rule sets prevent information leakage and help organizations with their compliance efforts. These easy-to-apply rule sets save time and provide immediate protection for production applications against targeted attacks. Individual rule sets can be applied on a per-web application basis for more customized protection. Included rule sets address:

  • Information leakage protection;
  • Automated detection of malicious activity;
  • Payment Card Industry Data Security Standard (PCI DSS) compliance;
  • Open Web Application Security Project (OWASP) Top 10 vulnerabilities;
  • Microsoft Outlook Web Access protection;
  • Platform-specific protection for Apache, IIS, PHP, ASP, ASP.NET, and others;
  • Anti-virus protection for file uploads through integration with ClamAV.

Intuitive, Web-Based Management Interface

The web-based ModSecurity management interface provides easy-to-use, anytime, and anywhere access to alerting, event analysis, and reporting capabilities. The ModSecurity management interface offers administrators a complete picture of their web applications’ operations and security by giving them in-depth event analysis. Detailed and summary reports for security, compliance, and audit requirements are available.

Benefits

  • Provides immediate protection for production applications against targeted attacks with plug-and-play installation.
  • Prevents information leakage and helps with compliance efforts through pre-packaged rule sets for commercial application vulnerabilities and for PCI standards.
  • Delivers alerting, event analysis, and reporting capabilities in an easy-to-use console for event viewing and sensor configuration capabilities.
  • Does not require the network reconfiguration for deployment.
  • Protects the flow of mission-critical web traffic in the event of a power or hardware failure with its embedded bypass card.

ModSecurity Management Appliance

Organizations with multiple ModSecurity open-source and ModSecurity Pro commercial deployments invest a significant amount of IT resources to secure and monitor their web applications. Often, each sensor must be individually monitored to determine if an attack has occurred. As a result, vital IT resources are consumed and application vulnerabilities still may not be identified in a timely manner, potentially leaving the organization and its sensitive data exposed. The ModSecurity Management Appliance addresses the ModSecurity community’s needs by allowing its members to remotely manage events from their distributed sensor deployments. Used in conjunction with ModSecurity and the commercial appliance deployments, the appliance collects, aggregates, and displays alert information from up to 50 open-source and commercial sensors to provide real-time, detailed visibility into each web application.

Key Features

Support for Multiple Sensors

The ModSecurity Management Appliance supports multiple remote sensors. The appliance is built upon a reliable, high-performance framework that can securely collect log and alert data for events from up to 50 open-source and commercial sensors in real time. This support provides administrators with a single source for web application security information so they can remediate issues immediately.

Detailed Event Analysis

On-screen, detailed event views allow organizations to identify specific application vulnerabilities. The ModSecurity Management Appliance categorizes each alert based on type, provides insight into the sensor receiving it, identifies the source address trigger, and displays the type of attack. Administrators can re-categorize events into custom categories to help document and report on the organization’s compliance with government and industry standards and regulations.

Event Report to Support Security, Compliance and Audit Requirements

The ModSecurity Management Appliance’s reporting capabilities help organizations meet their security, compliance, and audit requirements. Included reports detail events by type, date and time, or per sensor. All reports are formatted and available as PDF files. Reports can be scheduled, produced on-demand, and/or distributed via email to ensure that information is available when and where it is needed.

Benfits

  • Provides current and historical web application security information from its centralized event database.
  • Offers anytime, anywhere access to alerting and reporting capabilities through its intuitive, web-based interface.
  • Presents a complete picture of web application security by supplying detailed event analysis.
  • Saves time and deploys easily due to its innovative, self-contained application design that includes an embedded web server and database.

The Enhanced Rule Set

The Enhanced Rule Set is the commercially supported version of ModSecurity rules offered as either part of the commercial Support contract or supplied as part of the ModSecurity Pro appliance. The Enhanced Rule Set includes all of the same rules available in the open source Core Rule set however it includes other rules to help address specific issues.

Rule Performance Improvements

There are optional rulesets that will cause ModSecurity to skip most of the inspection when a static request is made. This is desired since attack vectors are mainly only available in dynamic content where the web application takes argument input from clients. Exclusion of these requests greatly increases the performance of ModSecurity.

Platform and Language Protection

The Enhanced Rule Set provides specific protection for an array of Web Servers and development environments including IIS, Apache, ASP, ASP.NET, PHP and FrontPage. For each such environment the following security features are provided:

  • Positive security envelope - Positive security envelope works by allowing only valid input and blocking everything else, and is considered the best protection mechanism for web applications. Such protection prevents exploiting of any vulnerability, including yet unknown vulnerabilities, without requiring signatures updates.
  • Detection of Errors - The Enhanced Rule Set detects error messages sent out by each environment. Such error messages usually imply a problem in the application and can also mean that technical information that might be useful to attackers is leaking.
  • Known Vulnerabilities – The Enhanced Rule Set includes a small number of rules for detecting known vulnerabilities in each environment rule set. The advantage of splitting known vulnerabilities signatures to environment specific rule sets is that only the relevant signatures to your environment are used, enhancing performance and reducing false positives.

PCI Compliance

In addition to protecting web applications from attacks, The Enhanced Rule Set has a number of features specifically designed for organizations working to comply with the PCI standard. These features ensure the proper configuration of the security mechanisms for PCI compliance as well as reporting that provide specific PCI standard details for each attack prevented.

  • PCI Standard Compliance Tagging - For each event reported by the enhanced rule set, The Enhanced Rule Set adds a tag describing which PCI section the event relates to.
  • Blocking the Theft of Credit Card Numbers - The Enhanced Rule Set will block any credit card numbers in the application from leaving the application unless specifically allowed on a certain page.
  • Auditing Credit Card Usage - The Enhanced Rule Set ensures that every use of a credit card by a user is logged. With the Enhanced Rule Set, ModSecurity logs the time of the transaction, the source IP, the complete request and response and a user name if configured to do so. The actuall credit card number is not logged and is replaced by asterisks according to PCI requirements.
  • Virus checking for uploaded files - One of PCI core requirements is using Anti-Virus software to inspect all files which may be infected. In a web application those files are files uploaded by users. The Enhanced Rule Set interfaces with an Anti-Virus software that inspects all uploaded files for Viruses. ModSecurity is the only web application firewall that includes this feature.
  • Detection of Web Trojans - In addition to Viruses, PCI also required detection of Trojans and other types of malicious software. The Enhanced Rule set blocks attempts to upload web Trojans to you a web server, use of Trojans if they where already uploaded through an alternate route and malicious software accessing the site.
  • OWASP top 10 Protection - The Enhanced Rule set was designed for web application security, incorporating in-depth expertise about web application design and potential vulnerability areas. ModSecurity with the Enhanced Rule Set has the best application layer detection capabilities in the industry, providing unparalleled protection from OWASP top 10 threats.

For each event reported, The Enhanced Rule Set adds a tag describing which OWASP top ten category and which Web Application Security Consortium Threat Classification the event relates to.

Outlook Web Access (OWA) Protection

The Enhanced Rule Set offers specific protection for OWA web servers. This protection includes:

  • Positive security envelope for protecting OWA server – such a positive security envelope ensures that user can access only permitted OWA functions and that each function can be used only according to its specification. Positive security envelope works by allowing only valid input and blocking everything else, and is considered the best protection mechanism for web applications. Such protection prevents exploiting of any vulnerability, including yet unknown vulnerabilities, without requiring signatures updates.
  • Blocking of successive login attempts – The Enhanced Rule Set ensures that the number of failed logins to an OWA server from one source is not more than a set number (5 by default). This ensures that an attacker cannot repeatedly try to login to a user account guessing different passwords.
  • Weak password detection – For each OWA login attempt, the Enhanced Rule Set checks if the password used is strong enough. Most security regulations and policies require passwords to be strong. A simple password enables attackers to break into an account by attempting to login repeatedly using many different simple passwords.
  • Usage audit – The Enhanced Rule Set monitors and records every successful and failed login to an OWA server. Such audit is needed to comply with different regulations such as PCI.

Commercial Support

Breach Security’s Customer Care program provides world-class security wherever and whenever you need it. Our team has made a commitment of excellence to ensure your satisfaction with every aspect of our products. Utilizing the latest technical resources and many combined years of experience, our security support team promptly answers questions and resolves issues. The services organization is ready with packaged training programs, quick start implementation services and certification programs that enable an organization to maximize its resources with the confidence that ModSecurity is protecting their web applications from the first day of implementation.

ModSecurity Commercial Support includes:

  • 24x7 phone and email support.
  • Basic installation and deployment assistance.
  • Access to all ModSecurity system level updates.
  • Audit log analysis assistance.
  • Log debugging and updates to system level bugs.
  • Assistance with updating to newer versions.
  • Enhanced Rule Set package.
  • Support packs (for groups of five web servers); volume discounts available for larger deployments.

ModSecurity Training

ModSecurity: Deployment and Management Training (1-day)

Overview

This one-day class is for those people who want to learn how to build and deploy a ModSecurity Web Application Firewall. We will also cover the open source ModSecurity Console, which helps manage alerts on suspicious web activity targeting your web servers. Hands-on labs with fully documented instructions help students deploy solid, secure ModSecurity installations and understand the inner workings of the premier open source web application firewall available today.

Target Audience

  • Web Server Administrators.
  • Web Security Administrators.
  • Security Consultants.
  • Anyone who is responsible for web application security.

Prerequisites

This course assumes that students have a technical understanding of the HTTP protocol and a general understanding of client/server communications and network architecture. Proficiency with Linux and UNIX text editing tools (vi editor) is suggested, not required.

Course Topic Outline

  • Introduction to Web Application Firewalls
  • Overview of the Web Application Firewall Evaluation Criteria
  • Introduction to ModSecurity
  • ModSecurity architecture
  • ModSecurity deployment options
  • ModSecurity installation
  • ModSecurity configuration and operation
  • ModSecurity directives and features overview
  • ModSecurity rules primer
  • ModSecurity console deployment and usage

ModSecurity: Rules Writing Workshop (1-day)

Overview

This one-day class provides an in-depth look at ModSecurity rules and ModSecurity rules language syntax. ModSecurity is currently the most widely used open source web application firewall product. Learning how to take advantage of the power behind ModSecurity rules can help web security administrators write and configure highly effective rules. This class features extensive hands-on rules development and testing to reinforce the theoretical concepts that are presented.

Target Audience

  • Web Server Administrators
  • Web Security Administrators
  • Security Consultants
  • Anyone who is responsible for web application security

Prerequisites

In order to gain the most value from the course, students should be familiar with Perl Compatible Regular Expressions (PCRE). This course assumes that students have a technical understanding of the HTTP protocol. Proficiency with Linux and UNIX text editing tools (vi editor) is suggested, not required.

Course Topic Outline

  • Introduction to ModSecurity’s Rule Language
  • Anatomy of a ModSecurity rule
  • Overview of PCRE
  • Variables
  • Transformation functions
  • Actions
  • Using advanced rule syntax with the “chain” action
  • Overview of the Core Rule set
  • Creating custom rules
  • Virtual Patching
  • Using initcol and setsid for stateful rules
  • Good rule writing practices
  • Testing rules
  • Tuning rules