Analyst Journal @ 22 Apr 2009 05:02 pm by ayoi
My friend’s gave a presentation on the mod_security usage last few weeks to a group of users from the government. In his presentation he gave a demo on how mod_security managed to prevent “blind sql injection” attacks on the application run on mod_security enabled web engine. He even received a thunderous applaud from the audience once he concluded his presentation. However one of the attendees asked one good question afterward.
“My friend said you do not need to installed any WAF (web application firewall). All you need to do is fine tune the firewall filtering policies and that’s it.”
Well that view is not wrong. No sir, it’s not wrong at all. But then again, security is about minimizing the risk from being compromised. But still, it doesn’t matter how vigilant you are in following the security processes because eventually everything that you’ve done are not enough to prevent your asset from being compromised.
Lets take a building (we call this building, Building A) as an example. Most of the time (and most of the building), the only place accessible for anybody is the lobby (and perhaps the toilet also). When you try to access beyond the lobby, usually you need to register yourself at the registration tableĀ placed before the lift lobby. Usually you need to identify yourself by presenting your ID card, inform your destination (and sometimes purpose of visit as well) received guest pass and off you go to your destination.
Now if let say that’s the only defensive measures that the building have, the risks for the building tenants to be compromised is high. Agree? Ok now we want to fine tune the filtering process at the reception, let say everybody must be body searched or provide other detailed information or other checking methods, I believe the queue will be long and the time taken for any guest to proceed to their destination will definitely not short. Hence due to the hassle that each guess need to face before proceed with their tasks, they will decided against visiting that particular building in the future.
So now let create another example, we call this building, Building B. Besides the need to register at the reception, it also equiped with doors that require access pass. Every guess will be issued access pass only to the intended floor and office (Even some offices in a building have their own lobby or reception). On top of that, your movement within the building will be monitored by CCTVs and if you appeared to be in the wrong floor or doing something funny, the friendly security guard will waste no time in coming to you and do any action necessary. Meaning there are many security layers for these buildings and we can assume that the risks for the tenants to be compromised is not as high as the building that has only reception table as the defensive measure (Building A). Agree?
Like I said before, both of the security measures taken by building A and B is not wrong. But then again, security is about reducing the risk of being compromised. So for you, what kind of security measures that you want to implement?
The ones like Building A (only perimeter defense – firewall via reception) or Building B (firewall – reception, IDS – CCTVs, Host Based or WAF – doors that require access card)?
That’s my opinion btw 
aiya, setahu aku mod security datang selepas iptables patching (non standard feature), dimana ko boleh deny any req yang match dgn rules iptables ko
contoh
iptables -A INPUT -m string –string ‘cmd.exe’ -j DROP
or even
iptables -A INPUT -m string –string ‘concat’ -j DROP
tapi limitation dier ialah…….
lu pikir sendiri laa (pinjam ayat nabil)