Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Apache mode_security

from [Ofer Shezaf] Network Security [Permanent Link]
Subject: RE: Apache mode_security
Date: Wed, 30 Nov 2005 10:35:59 -0500 



-----Original Message-----
From: Ivan Ristic [mailto:ivan.ristic@gmail.com]
Sent: Thursday, November 24, 2005 2:14 PM


...


Neither approach is good enough in real-life, when used on its own.
(Although there may be specific cases where they can work rather
well.) As you say, negative rules can often be bypassed. It is also
difficult to enumerate all the possible attacks. In theory, positive
security model is much safer, but there is a problem of how to create
a good-enough model. This is especially a problem if the application
you are trying to protect is constantly changing. I believe the
solution is somewhere in the middle.



I strongly agree with Ivan. Application protection is complex since
applications are complex and much more dynamic than networks. Some on
this list would even say that no real time security control can
effectively block application layer attacks. I thing that it is
achievable (well I make application firewalls for a living....), but it
does require sophisticated detection, that mash together both negative
and positive methods.

Signature detection has to go a step further than what I usually see out
there. Many of the signatures presented in articles closely detect
published attack vectors ('1=1', 'union select' and the like).
Application layer signatures must try to detect generic language
injection. I personally dig through manuals of different languages (not
just SQL) to try to predict what keywords / phrases might be used as
part of attacks. Signatures are also good mostly for injection, but fail
miserably on other attack types.

On the positive security side, static rules (such as RFC compliance),
behavioral analysis of traffic and building policy based on outbound
traffic should all be used; each one has deficiencies, but together they
can provide a lot: behavioral anomalies often do not equal attacks, and
analyzing outbound traffic is limited by the wide use of client side
code. 

On top of that you need to correlate between the different events, both
for a single request and over time, as many of the detection methods
detect anomalies rather than attacks. Only by aggregating the anomalies
one can detect attacks.

~ Ofer

Ofer Shezaf
CTO, Breach Security
Phone (US): +1 (760) 268.1924 ext. 702
Phone (Israel): +972 (9) 956.0036 ext.212
Cell: +972 (54) 443.1119
ofers@breach.com
http://www.breach.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: ODBC Injection, Maxime Ducharme
Previous by Thread:  Re: Apache mode_security, K K Mookhey
Next by Thread:  HTTP REFERER not set in Internet Explorer, Saqib Ali
Indexes:  [Date] [Thread] [Top] [All Lists]