Given the rate at which we continue to see cyber attacks, it is obvious that there is still a wide gap in how security controls are implemented for web applications. I have been experimenting with number of solutions to help me solve this problem to not only secure but to also optimize HTTP requests to a web server.
Here is a used case that describes a problem I faced with a fan forum website when I was consulted to help to help improve security and performance. The website is based on vBulletin engine and running under Linux Apache MySql and PHP (LAMP).
Here goes...
Problem 1 - Security
Documented issues of persistent Denial of Service (DoS) attacks, especially SYN flood. Given the nature of the attack, implementing iptables was simply not enough. Every couple of months, the site would be down again. Due to limited resources, I had to implement new set of controls to that would go beyond functions of a conventional firewall.
Problem 2 - Performance
The site had performance issues with a hook called Shoutbox, which allowed members to chat in real time using HTTP post requests. This is usually alright until you have high volume of users. At that point, Shoutbox can cripple the CPU as requests are passed between the database and back to the hard-drive and presented to the user.
Solution
Solution to Problem 1: Web Application Firewall - ModSecurity
An hybrid firewall of protocol sensitive application Intrusion Prevention System (IPS) is needed - Web Application Firewall. The conventional Firewall that sits at the perimeter with port 80 wide open to the world is no longer sufficient as attacks such as SQL Injection, Cross Site Scripting (XSS) and Cross Site Request Forgery (XSRF) or HTTP DoS attacks.
What can I get that is cost effective without compromising on the objectives of providing in-depth security controls by addressing all forms of attacks as I listed above? - ModSecurity
ModSecurity is a Web Application Firewall (WAF) from Trustwave SpiderLabs that filters both incoming and outgoing data and able to stop malicious traffic by using set of predefined rules.
Conventional model
HTTP Request (Port 80 passes through firewall) --> Apache Server
Secure model
HTTP Request --> ModSecurity --> Apache Server
ModSecurity is extremely versatile and effective at providing an exceptional added layer of security to web services. Not only does it provide application level protection, it can help mitigate effects of zero exploits that use unpatched modules or software as attack vector. It is one of the recommend solutions to mitigate at least four of OWASP top 10 vulnerabilities.
ModSecurity rule to block Blind SQL Injection
# Blind SQL injectionSecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries"
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,pass,nolog,skipAfter:959007
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:b(?:(?:s(?:ys.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|electb.{0,40}b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)b|(?:locate|instr)W+()|@@spidb)"
"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'950007',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtypeW+bchar|rownum)b|t(?:able_nameb|extposW+())"
Solution to Problem 2: Web Application Accelerator - Varnish Cache
To resolve Problem 2, performance issue, I deployed HTTP optimization solution called Varnish Cache.
What is Varnish cache? Varnish Cache is a web application accelerator which sits in front of an application server based on HTTP protocol. It caches content of all the requests made by users in volatile memory and consequently expediting the speed of each transaction. Varnish also integrates very well with ModSecurity to become a Web Application Firewall.
Conclusion
These two tools combined have greatly improved security and performance of the web application server and subsequently enhanced the availability of the services to the users. While you require advance knowledge of web attacks, understanding the syntax for both ModSecurity and Varnish Cache require deep planning and some familiarity with programming as you have to configure all the rules manually. It is, however, worth noting that both ModSecurity and Varnish-Cache are free under open source license.
Article Source: http://EzineArticles.com/?expert=Luke_Babarinde
