1 <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Introduction</title><link href="modsecurity-reference.css" rel="stylesheet" type="text/css"><meta content="DocBook XSL Stylesheets V1.69.1" name="generator"><link rel="start" href="index.html" title="ModSecurity® Reference
2 Manual"><link rel="up" href="index.html" title="ModSecurity® Reference
3 Manual"><link rel="prev" href="index.html" title="ModSecurity® Reference
4 Manual"><link rel="next" href="ar01s02.html" title="ModSecurity Core Rules™"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div style="background:#F5F5F5;width:100%;border-top:1px solid #DDDDDD;border-bottom:1px solid #DDDDDD"><table width="100%" cellspacing="0" cellpadding="0"><tr><td><a href="http://www.modsecurity.org"><img style="margin:4px" src="modsecurity.gif" width="120" height="36" alt="ModSecurity" border="0"></a></td><td align="right"><a href="http://www.breach.com"><img style="margin:6px" src="breach-logo-small.gif" height="36" width="100" border="0"></a></td></tr></table></div><div id="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Introduction</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="index.html">Prev</a> </td><td align="center" width="60%"> <a accesskey="h" href="index.html">Home</a></td><td align="right" width="20%"> <a accesskey="n" href="ar01s02.html">Next</a></td></tr></table><hr size="1"></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="introduction"></a>Introduction</h2></div></div><div></div></div><p>ModSecurity is a web application firewall (WAF). With over 70% of
5 attacks now carried out over the web application level, organisations need
6 all the help they can get in making their systems secure. WAFs are
7 deployed to establish an increased external security layer to detect
8 and/or prevent attacks before they reach web applications. ModSecurity
9 provides protection from a range of attacks against web applications and
10 allows for HTTP traffic monitoring and real-time analysis with little or
11 no changes to existing infrastructure.</p><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="N1001D"></a>HTTP Traffic Logging</h3></div></div><div></div></div><p>Web servers are typically well-equipped to log traffic in a form
12 useful for marketing analyses, but fall short logging traffic to web
13 applications. In particular, most are not capable of logging the request
14 bodies. Your adversaries know this, and that is why most attacks are now
15 carried out via POST requests, rendering your systems blind. ModSecurity
16 makes full HTTP transaction logging possible, allowing complete requests
17 and responses to be logged. Its logging facilities also allow
18 fine-grained decisions to be made about exactly what is logged and when,
19 ensuring only the relevant data is recorded. As some of the request
20 and/or response may contain sensitive data in certain fields,
21 ModSecurity can be configured to mask these fields before they are
22 written to the audit log.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="N10022"></a>Real-Time Monitoring and Attack Detection</h3></div></div><div></div></div><p>In addition to providing logging facilities, ModSecurity can
23 monitor the HTTP traffic in real time in order to detect attacks. In
24 this case, ModSecurity operates as a web intrusion detection tool,
25 allowing you to react to suspicious events that take place at your web
26 systems.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="N10027"></a>Attack Prevention and Just-in-time Patching</h3></div></div><div></div></div><p>ModSecurity can also act immediately to prevent attacks from
27 reaching your web applications. There are three commonly used
28 approaches:</p><div class="orderedlist"><ol type="1"><li><p>Negative security model. A negative security model monitors
29 requests for anomalies, unusual behaviour, and common web
30 application attacks. It keeps anomaly scores for each request, IP
31 addresses, application sessions, and user accounts. Requests with
32 high anomaly scores are either logged or rejected altogether.</p></li><li><p>Positive security model. When a positive security model is
33 deployed, only requests that are known to be valid are accepted,
34 with everything else rejected. This model requires knownledge of the
35 web applications you are protecting. Therefore a positive security
36 model works best with applications that are heavily used but rarely
37 updated so that maintenance of the model is minimized.</p></li><li><p>Known weaknesses and vulnerabilities. Its rule language makes
38 ModSecurity an ideal external patching tool. External patching
39 (sometimes referred to as Virtual Patching) is about reducing the
40 window of opportunity. Time needed to patch application
41 vulnerabilities often runs to weeks in many organisations. With
42 ModSecurity, applications can be patched from the outside, without
43 touching the application source code (and even without any access to
44 it), making your systems secure until a proper patch is applied to
45 the application.</p></li></ol></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="N10038"></a>Flexible Rule Engine</h3></div></div><div></div></div><p>A flexible rule engine sits in the heart of ModSecurity. It
46 implements the ModSecurity Rule Language, which is a specialised
47 programming language designed to work with HTTP transaction data. The
48 ModSecurity Rule Language is designed to be easy to use, yet flexible:
49 common operations are simple while complex operations are possible.
50 Certified ModSecurity Rules, included with ModSecurity, contain a
51 comprehensive set of rules that implement general-purpose hardening,
52 protocol validation and detection of common web application security
53 issues. Heavily commented, these rules can be used as a learning
54 tool.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="N1003D"></a>Embedded-mode Deployment</h3></div></div><div></div></div><p>ModSecurity is an embeddable web application firewall, which means
55 it can be deployed as part of your existing web server infrastructure
56 provided your web servers are Apache-based. This deployment method has
57 certain advantages:</p><div class="orderedlist"><ol type="1"><li><p>No changes to existing network. It only takes a few minutes to
58 add ModSecurity to your existing web servers. And because it was
59 designed to be completely passive by default, you are free to deploy
60 it incrementally and only use the features you need. It is equally
61 easy to remove or deactivate it if required.</p></li><li><p>No single point of failure. Unlike with network-based
62 deployments, you will not be introducing a new point of failure to
63 your system.</p></li><li><p>Implicit load balancing and scaling. Because it works embedded
64 in web servers, ModSecurity will automatically take advantage of the
65 additional load balancing and scalability features. You will not
66 need to think of load balancing and scaling unless your existing
67 system needs them.</p></li><li><p>Minimal overhead. Because it works from inside the web server
68 process there is no overhead for network communication and minimal
69 overhead in parsing and data exchange.</p></li><li><p>No problem with encrypted or compressed content. Many IDS
70 systems have difficulties analysing SSL traffic. This is not a
71 problem for ModSecurity because it is positioned to work when the
72 traffic is decrypted and decompressed.</p></li></ol></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="N10054"></a>Network-based Deployment</h3></div></div><div></div></div><p>ModSecurity works equally well when deployed as part of an
73 Apache-based reverse proxy server, and many of our customers choose to
74 do so. In this scenario, one installation of ModSecurity can protect any
75 number of web servers (even the non-Apache ones).</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="N10059"></a>Portability</h3></div></div><div></div></div><p>ModSecurity is known to work well on a wide range of operating
76 systems. Our customers are successfully running it on Linux, Windows,
77 Solaris, FreeBSD, OpenBSD, NetBSD, AIX, Mac OS X, and HP-UX.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="licensing"></a>Licensing</h3></div></div><div></div></div><p>ModSecurity is available under two licenses. Users can choose to
78 use the software under the terms of the GNU General Public License
79 version 2 (licence text is included with the distribution), as an Open
80 Source / Free Software product. A range of commercial licenses is also
81 available, together with a range of commercial support contracts. For
82 more information on commercial licensing please contact Breach
83 Security.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>ModSecurity, mod_security, ModSecurity Pro, and ModSecurity Core
84 Rules are trademarks or registered trademarks of Breach Security,
85 Inc.</p></div></div></div><div id="navfooter"><hr size="1"><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="index.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> <a accesskey="n" href="ar01s02.html">Next</a></td></tr><tr><td valign="top" align="left" width="40%"><span class="trademark">ModSecurity</span>® Reference
86 Manual </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td valign="top" align="right" width="40%"> <span class="trademark">ModSecurity Core Rules</span>™</td></tr></table></div><div align="center" class="copyright">Copyright (C) 2004-2009 <a href="http://www.breach.com">Breach Security</a></div></body></html>