4 reasons not to use mod_security

DevCentral > Weblogs > Lori MacVittie - Two Different Socks

4 reasons not to use mod_security

posted on Wednesday, July 23, 2008 5:53 AM

Apache is a great web server if for no other reason than it offers more flexibility through modules than just about any other web server. You can plug-in all sorts of modules to enhance the functionality of Apache.

But as I often say, just because you can doesn't mean you should.

One of the modules you can install is mod_security. If you aren't familiar with mod_security, essentially it's a "roll your own" web application firewall plug-in for the Apache web server.

Some of the security functions you can implement via mod_security are:

Simple filtering
Regular Expression based filtering
URL Encoding Validation
Unicode Encoding Validation
Auditing
Null byte attack prevention
Upload memory limits
Server identity masking
Built in Chroot support

Using mod_security you can also implement protocol security, which is an excellent idea for ensuring that holes in protocols aren't exploited. If you aren't sold on protocol security you should read up on the recent DNS vulnerability discovered by Dan Kaminsky - it's all about the protocol and has nothing to do with vulnerabilities introduced by implementation.

mod_security provides many options for validating URLs, URIs, and application data. You are, essentially, implementing a custom web application firewall using configuration directives.

If you're on this path then you probably agree that a web application firewall is a good thing, so why would I caution against using mod_security?

Well, there's four reasons, actually.

It runs on every web server. This is an additional load on the servers that can be easily offloaded for a more efficient architecture. The need for partial duplication of configuration files across multiple machines can also result in the introduction of errors or extraneous configuration that is unnecessary. Running mod_security on every web server decreases capacity to serve users and applications accordingly, which may require additional servers to scale to meet demand.
You have to become a security expert. You have to understand the attacks you are trying to stop in order to write a rule to prevent them. So either you become an expert or you trust a third-party to be the expert. The former takes time and that latter takes guts, as you're introducing unnecessary risk by trusting a third-party.
You have to become a protocol expert. In addition to understanding all the attacks you're trying to prevent, you must become an expert in the HTTP protocol. Part of providing web application security is to sanitize and enforce the HTTP protocol to ensure it isn't abused to create a hole where none previously appeared. You also have to become an expert in Apache configuration directives, and the specific directives used to configure mod_security.
The configuration must be done manually. Unless you're going to purchase a commercially supported version of mod_security, you're writing complex rules manually. You'll need to brush up on your regular expression skills if you're going to attempt this. Maintaining those rules is just as painful, as any update necessarily requires manual intervention.

Of course you could introduce an additional instance of Apache with mod_security installed that essentially proxies all requests through mod_security, thus providing a centralized security architecture, but at that point you've just introduced a huge bottleneck into your infrastructure. If you're already load-balancing multiple instances of a web site or application, then it's not likely that a single instance of Apache with mod_security is going to be able to handle the volume of requests without increasing downtime or degrading performance such that applications might as well be down because they're too painful to use.

Centralizing security can improve performance, reduce the potential avenues of risk through configuration error, and keeps your security up-to-date by providing easy access to updated signatures, patterns, and defenses against existing and emerging web application attacks. Some web application firewalls offer pre-configured templates for specific applications like Microsoft OWA, providing a simple configuration experience that belies the depth of security knowledge applied to protected the application. Web application firewalls can enable compliance with requirement 6.6 of PCI DSS.

And they're built to scale, which means the scenario in which mod_security is used as a reverse proxy to protect all web servers from harm but quickly becomes a bottleneck and impediment to performance doesn't happen with purpose-built web application firewalls.

If you're considering using mod_security then you already recognize the value of and need for a web application firewall. That's great. But consider carefully where you will deploy that web application firewall, because the decision will have an impact on the performance and availability of your site and applications.

Technorati Tags: MacVittie,F5,application security,security,web application firewall,http,internet,web,microsoft,apache,mod_security,Kaminsky,protocol security

Feedback

7/23/2008 7:10 AM
		"Running mod_security on every web server decreases capacity to serve users and applications accordingly, which may require additional servers to scale to meet demand." This is misleading a little. The true question is: which has a lower TOC? Is it mod_security and (maybe) more servers, or one or more dedicated appliance(s) from a vendor like F5? With appropriate configuration, mod_security can have little to no visible impact to the end-user, since it will add 2-5ms to request turnaround on dynamic content. Given that static content usually is the "bottleneck" on many typical web apps, the effect is hidden. There are no widespread benchmark, though. "The need for partial duplication of configuration files across multiple machines can also result in the introduction of errors or extraneous configuration that is unnecessary" Most sysadmins would use scripting to sync these settings across multiple servers. This warning would only apply to bad sysadmins, and the security risk they present goes well beyond mod_security configs... "You have to understand the attacks you are trying to stop in order to write a rule to prevent them." I would argue that a fundamental problem with current web apps is the fact that security is often shunted to people other than the ones building the application. So, in fact, developers have to understand attacks and code to mitigate them. The developers are the ones that should be accountable for any breach. "Web application firewalls - but not mod_security - can enable compliance with requirement 6.6 of PCI DSS." Kinda sorta correct. Requirement 6.6 delineates two options: 1) app code is provably reviewed by a security org, or 2) installing an application layer firewall. The first is a must that security begins with good code. If you follow that rule, rather than apply a "firewall bandaid" to your web app, then you are better off. The second does not stipulate that the application-layer firewall be a separate unit. Given that mod-security is an "application layer firewall", then IMO the above statement is incorrect. Overall, sounds like mod_security bashing more than valid competitive points.
anonymouse

7/23/2008 7:15 AM
		Not bashing at all. In fact, if you aren't into running a web app firewall and think mod_security is a good idea, then DO IT. Any security is better than no security, and mod_security can certainly be used to provide security. I'm just saying there are better options out there in terms of management, performance, and configuration, not that mod_security should never be used in any situation. "I would argue that a fundamental problem with current web apps is the fact that security is often shunted to people other than the ones building the application. So, in fact, developers have to understand attacks and code to mitigate them. The developers are the ones that should be accountable for any breach." I like this statement, and in a utopian IT department it might even work, but in the real world developers don't understand the attacks that might be launched against them. If they did, they would develop applications that were able to defend themselves, mitigating the need for any external web application security, a la mod_security or web application firewalls.
Lori MacVittie

7/23/2008 7:44 AM
		As a follow up, I also suggest reading through the recommended requirements for qualifying as an acceptable WAF solution for PCI DSS: PCI DSS 6.6 Clarification I do not believe Apache mod_security meets all of these guidelines.
Lori MacVittie

7/23/2008 10:31 AM
		On what basis? Generally, they define it as "...a security policy enforcement point positioned between a web application and the client end point. This functionality can be implemented in software or hardware..." So far, so good. Then, there's a laundry list of recommended capabilities. You say mod_security does not meet these guidelines. Which ones do you see mod_security failing?
anonymouse

7/23/2008 10:46 AM
		Hi, I am the original author of ModSecurity. I am sorry to see you resorting to attacking ModSecurity in this way. There is no doubt that using ModSecurity has its advantages and disadvantages, but they cannot be considered in isolation from the alternatives. Are you going to share with us your 4 reasons not to use an F5 product? 1. The scalability problem does not exist. In fact, it is a feature of ModSecurity that it scales _implicitly_ with your infrastructure. After the initial bundling of ModSecurity with the web server there is little to do, apart from maintain a single repository of rules. The rules are going to be pushed to all web servers at once, because they are managed along with the configuration of web servers. We have users who are deploying ModSecurity in hundreds of web servers, and they are _very_ happy. Not only would a centralised solution be very difficult to deploy with their infrastructures, but it would also introduce a layer of complexity they neither want nor need. A centralised solution would also cost them a lot (whereas ModSecurity is free unless you opt for support), and introduce a point of failure to the network. 2, 3, 4. I can't help but notice that your remaining reasons are actually the same thing. ModSecurity can be used with little security knowledge, similarly to other web application firewalls, assuming you are willing to accept the use of packaged security (through rule packages). We even provide a free Core Rules package to our users, with a comprehensive rule package available for a fee. There is no doubt that using ModSecurity on a low level can be difficult, but that is not a weakness of ModSecurity: difficult problems, which web application security issues are, cannot be addressed elegantly. A GUI page can be made to look nice, but abstractions are always simplifications that remove choices from users. To further clarify: wouldn't it be nice if we could have a WAF with just one setting: off (does nothing) and on (removes all attacks with zero false positives and zero false negatives)? It would, but it's not going to happen. The important difference is that ModSecurity can go the other way. Because it was built from the ground up to be configurable, it is very flexible and can generally do anything. This can hardly be said for other web application firewalls, which are largely black boxes to their users.
Ivan Ristic

7/23/2008 11:12 AM
		Hi Ivan, I'm sorry that you interpret this as an "attack" on mod_security. It isn't meant to be an "attack" on the module but merely reasons against choosing it over other solutions and points to consider in the process of deciding which WAF to invest in. I'm a bit confused because you seem to be referencing Breach's ModSecurity as opposed to Apache mod_security. I realize ModSecurity is based on mod_security, but it is also my understanding that it is a bit more polished than the core module. I am happy to hear people choosing any WAF over none, but that choice should be an informed one. Sharing your opinion here helps that process and presents different views so that people can do additional research and decide which WAF best fits their environment, architecture, budget, and skill sets, which is what such conversation starters are designed to do.
Lori MacVittie

7/23/2008 11:26 AM
		ModSecurity and mod_security are one and the same. I always use the former, because the latter is such an ugly name. (Yes, I know what you're thinking--I should have thought about that at the beginning. I wish I did.) Anyway, what is available for free is identical to what we (at Breach Security) are using in our commercial product (i.e. the reverse-proxy appliance). The differences are elsewhere, e.g. GUI, HA, transparent deployment, etc.
Ivan Ristic

7/23/2008 11:28 AM
		Uhm, that's all fine and dandy that F5 and Ivan are duking it out a little. But, Lori, you still haven't addressed the core question: how does mod_security (and not ModSecurity) fail to meet the technical recommendations on p.5-6 of the document you linked?
anonymouse

7/23/2008 1:05 PM
		@anonymouse At a minimum the following three recommendations do not appear to be met by mod_security. "Inspect web services messages, if web services are exposed to the public Internet. Typically this would include Simple Object Access Protocol (SOAP) and eXtensible Markup Language (XML), both document- and RPC-oriented models,in addition to HTTP." There does not appear (and Ivan can correct me if I'm wrong) to be a mechanism within mod_security for fully inspecting XML for the purposes of preventing attacks (which is the purpose of PCI DSS). Excessive nesting of elements, schema poisoning, etc...are nearly impossible to detect without the ability to parse XML and inspect it as a DOM, something that mod_security does not appear capable of providing. "Automatically receive and apply dynamic signature updates from a vendor or other source. In the absence of this capability, there should be procedures in place to ensure frequent update of WAF signatures or other configuration settings." For mod_security this support is completely absent. There does not appear to be any centralized method or procedures supported by The Apache Foundation to meet this requirement. I assume Breach has addressed this in their support model. "Some ecommerce applications may require FIPS hardware key store support. If this is a consideration in your environment, make sure that the WAF vendor supports this requirement in one of their systems and be aware that this feature may drastically increase the cost of the solution." Obviously if this is the case, then mod_security does not support this one. In the end, it is up to the PCI auditor to determine whether the environment is considered compliant or not, and whether the chosen WAF (if there is one) is acceptable. But given these requirements there are environments in which mod_security does not appear to fulfill the recommended guidelines for meeting PCI DSS compliance.
Lori MacVittie

7/24/2008 6:27 AM
		@Lori: Thanks for the response. 1. Web Services: mod_security does have basic ability to parse and validate XML, but I'm not "guru" enough on mod_security to comment beyond simple XML processing and the various attack methods. 2. Automatic Updates: Well, the PCI recommendation is far from being a strong one. Even given the lack of strong guidance, if you want to adhere to it, there are security vendors that will sell you support (ex: Prometheus Group) on mod_security. There are also free sources. At any rate, automatic or third-party updating is a double-edged sword, and sometimes a recipe for disaster. You can end up with tons of rules, many of which you don't need and affect performance. Or, lots of companies using "turn-key solutions" do turn-it-on-and-forget-it, i.e. no testing. This leaves one open to possible downtime because some rule in a recent automatic update ruined your web app. This can be true of mod_security or canned appliances. 3. FIPS Key Store: Not sure that's a common problem. But, I'll take your word on that one. All in all, I think there are minor reasons to go with an appliance vs. DIY (mod_security) but the differences are minor and are edge cases.
anonymouse

7/24/2008 7:48 AM
		@anonymouse The PCI DSS requirements are exceedingly ambiguous. In the one case (hardware key store) it specifically mentions that some applications may need it, but never mentions what those applications may be or what variables constitute needing a hardware key store. Pertaining to the XML, they do not say "if you're serving XML/SOAP you need this", you apparently just need it. It should read more like the requirement around hardware key stores - if you're doing XML, you need to protect it. If you aren't, then don't worry about it. I agree with the assessment that third-party updating can be a double-edged sword. The best option, IMO, is that the vendor offer it, but allow the customer to choose how they are applied, if they are applied at all. This fulfills the "auto update" requirement for PCI DSS but still leaves the customer in control of their own environment. PCI DSS is important to those organizations that fall under it, but for those that don't, it becomes a non-issue in the decision of which WAF to purchase, of course.
Lori MacVittie

7/24/2008 8:43 AM
		@Lori, None of your comments regarding PCI and ModSecurity are correct: 1. ModSecurity supports XML: we can parse and validate XML, and also use XPath to extract pieces of each request to address them individually (if you don't want to address them in bulk). That functionality is sufficient for what PCI desires. 2. Automatic updates: along with ModSecurity we distribute an auto-update tool, which checks rule repositories for changes, and downloads and optionally installs them. We are not using this mechanism for our free rules yet, but we will at some point in the future. In the meantime, our users are free to deploy this mechanism themselves. Also, the protocol itself is open, so any rule set manufacturer can use it. But, as you say, PCI is also fine with just having proper procedures, so this isn't really an issue in the first place. 3. FIPS 140 is a US government security standard, which applies to US government departments and agencies. If you fall into this category you must use FIPS. Either way, FIPS is not an issue for ModSecurity because we don't handle SSL. We don't need to: when embedded we act on content after decryption on the inbound and before encryption on the outbound. When deployed in proxy mode, FIPS is certainly an issue for US departments, but I expect they will use FIPS-compliant Apache web servers in that case. That works for us. If they really want to, they can compile their own proxies using Apache and a FIPS-compliant version of OpenSSL (which can be downloaded from the OpenSSL web site).
Ivan Ristić

7/24/2008 9:57 AM
		@Ivan, Thanks for the clarification. I stand corrected! I have edited the post to remove the incorrect interpretation. Again, thanks for clarifying - it is much appreciated. Lori
Lori MacVittie

7/27/2008 4:49 AM
		We're using a great software that deals with modsecurity problems mentioned above. The name of the software is dotDefender web application firewall. dotDefender can be installed both on IIS and Apache as well. All the protection comes out of the box with many security and protocols rules. Only the fine tuning can be done manually, the rest is automatically solved. http://www.applicure.com
Tom

10/27/2008 12:19 AM
		Mod_security is destroying the PHP world on the Web. Applications are failing left and right causing client after client of ours to panic. They aren't server experts. They don't understand how to turn off this horrible monstrosity ruining their scripting calls. Mod_security is so poorly programmed it is essentially MALWARE. Do NOT use Mod_security.
Sheila

11/18/2008 1:09 PM
		We've successfully deployed ModSecurity to about 700 shared hosting servers, protecting close to a 600,000 domains at our organization. By distributing the load between so many servers, there is a tradeoff of scalability (each machine take a miniscule, practically unmeasurable performance hit) vs. rule management (update rules across that many machines). We believe that each machine has to defend itself on as many layers as possible, in addition to the protection afforded it at higher levels (by, say an IDS appliance). In the end, the rule management was really effortless. Using puppet or a simple versioning system, we could deploy rules across the infrastructure with a simple script. To date, we have blocked millions upon millions of attacks against our users, while maintaining the flexibility to be able to disable mod_security on a user-by-user, directory-by-directory basis. F5 does make high quality products - but I can't fault ModSecurity based on the issues brought up in this article, or my extensive experience using it on the front lines.
Marcel Chastain

11/21/2008 8:54 AM
		To Sheila above: If I was your customer, I would have fired you if you simply installed a default installation of a web application firewall and told me that I was secure. What you have said above is absolutely ridiculous, and you (or your staff) obviously lack the ability to properly configure a WAF so that it protects your SPECIFC application. Don't be mislead into thinking that you can just buy something and that you're protected, nothing could be further from the truth. What you must do, regardless of what solution you choose, is CONFIGURE it to protect your specific application and usage pattern. The biggest part of a WEB is UNDERSTANDING WHAT THAT USAGE IS. You obviously didn't and your compromised the availability of your customer's applications as a result. And to the author of this article: Just as a GUI is not a substitute for security knowledge, convenience is not a substitute for implimenting a sound security solution.
Jeff

11/29/2009 12:56 PM
		[Linux] Blocking Your w00tw00ts with iptables - The UNIX and Linux Forums
Pingback/TrackBack

Leave Feedback

Title
Name
Email
Url
Comments
Remember Me? Enter the code shown above:
Please add 2 and 2 and type the answer here:

My Links

DevCentral Home
DevCentral Blogs
DevCentral Forums
My Blog
Contact Me
Syndication
Login

Blog Stats

Posts		617		Comments		1136
Stories		0		Trackbacks		328

	Tag Cloud
	acceleration application delivery application security architecture BIG-IP blog cloud cloud computing dynamic infrastructure F5 HTTP infrastructure INfrastructure 2.0 integration internet load balancing MacVittie optimization performance scalability security SOA virtualization web web 2.0 more tags...

Post Categories

		WILS
		General SOA
		SOA Delivery
		Randomness
		Web 2.0
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing
		Virtualization

Archives

		February, 2010 (7)
		January, 2010 (17)
		December, 2009 (16)
		November, 2009 (20)
		October, 2009 (22)
		September, 2009 (21)
		August, 2009 (25)
		July, 2009 (18)
		June, 2009 (20)
		May, 2009 (20)
		April, 2009 (21)
		March, 2009 (23)
		February, 2009 (17)
		January, 2009 (19)
		December, 2008 (17)
		November, 2008 (18)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)

Application Delivery

		Infrastructure 2.0
		onizo#
		The Virtual ADC

Cloud Computing

Google Group: Cloud Computing

Random

Security

Rational Survivability

SOA

		Loosely Coupled
		Miko Matsumura's SOA Center
		SOA Enterprise Patterns

Copyright 1996 - 2007 F5 Networks, Inc. | Privacy Statement | Terms Of Use