LAS VEGAS. For the last decade, Apache web server users have been able to benefit from the open source ModSecurity Web Application Firewall (WAF). At the Black Hat security conference this week, ModSecurity developers will for the first time make their WAF available for the Microsoft IIS web server as well as the nginx open source web server.
A WAF is a critical piece of Internet security infrastructure that helps to filter inbound requests to applications, providing a firewall for application vulnerabilities. Ryan Barnett, security researcher at Trustwave, the leading commercial sponsor behind ModSecurity, is set to formally release the new versions of ModSecurity in a “Turbo Talk” at Black Hat.
In an interview with eSecurity Planet, Barnett explained that a decade ago when ModSecurity was first being built, Apache was the most popular web server and that’s why it was chosen as the initial platform. Fast forward to today, and Apache is still the most popular web server in the world, but it is now facing increasing competition from both Microsoft IIS and nginx. He noted that Apache roughly holds 60 percent of the web server market now, meaning that ModSecurity was leaving 40 percent un-served.
The effort to bring ModSecurity over to Microsoft IIS in particular was not one that Trustwave and the open source community embarked on alone. Barnett said that they first had to get the support of the Microsoft Security Response Center (MSRC). Trustwave had already been a partner of the MSRC by way of the MAPP (Microsoft Active Protections Program), which provides partners with advance data on Patch Tuesday vulnerabilities in an effort to enable faster patching.
With commercial rules that Trustwave sells for ModSecurity, the company provides “virtual patching” for Microsoft application vulnerabilities. In that way, enterprises that are not able to patch their applications immediately can get a virtual patch deployed on their WAF that insulates them from vulnerability.
Even though Microsoft IIS is not an open source web server, Barnett stressed that ModSecurity for IIS is open source and remains licensed under the open source Apache v2.0 license. The source code for the new release is set to be freely available as of Wednesday on the Sourceforge open source code repository.
While ModSecurity itself remains open source, Trustwave as a commercial entity continues to sell commercial rules for the product. The commercial rules supplement the core open source ruleset, which provide generic protections for application vulnerabilities.
Barnett admitted that the downside of the generic open source ModSecurity rules is that they can generate false positives. The way to get around that is with additional tuning of the system over time.
“From a WAF perspective, a lot of people get tied up in trying to totally eradicate different types of attacks,” Barnett said. “But really what your end goal should be with a WAF is to reduce the attack surface.”
Barnett added that a WAF doesn’t always have the full code context of a given application and there are certain types of attack vectors that can be missed. That said, he noted that ModSecurity does provide a solid defense and will help to reduce risk.
At Black Hat this week, Qualys security researcher Ivan Ritsic is speaking in a session where he will be poking holes in WAF technology, with the general theme being that they aren’t as secure as people think. While Barnett says he respects Ritsic’s view, he doesn’t necessarily agree that WAF technology is insecure.
Barnett noted that in 2011, there was a SQL Injection challenge with ModSecurity where researchers were asked to try to evade the WAF. In the final result, nine different people found evasions, but it took a minimum of 10 hours for those evasions to be discovered.
“Any technology has issues and Ivan’s main issue is the issue of impedance mismatch,” Barnett said.
Barnett explained that impedance mismatch occurs when security technology analyses, normalizes, and parses data differently than how the destination system operates. When there is an impedance mismatch, there is the risk of evasion.
“It is a problem that needs to be dealt with,” Barnett said. “That’s why it helps to have ModSecurity directly embedded in Microsoft IIS for example, so you won’t have as many issues.”
That said, he noted that testing for evasions is critically important to help continually make ModSecurity more secure and to help users understand any potential limitations.
Barnett is speaking in a Turbo Talk on Wednesday and is also demoing the new ModSecurity for IIS during the Black Hat Arsenal tools demonstration. Code is set to be publicly available on Wednesday as well.