ModSecurity for IIS and Nginx launched at Black Hat
The ModSecurity web application firewall, traditionally tied to the Apache web server, has been ported to run with both Microsoft's IIS and the open source Nginx web servers. The port work, available in the release candidates of ModSecurity 2.7.0, is a result of work done by Trustwave SpiderLabs, Microsoft Security Resource Center and developer Alan Silva.
Currently, in order to run ModSecurity to filter incoming web traffic for a non-Apache server, a user would have to configure an Apache server running as a reverse proxy with ModSecurity. Ryan Barnett, a senior security researcher at Trustwave Spiderlabs, talking with The H from the Black Hat conference, explained that to make ModSecurity work on the other servers, the developers first created an abstraction layer which wraps how a web server processes requests and request bodies and how it should hand them over to another application like ModSecurity. With this layer in place, and ModSecurity running in its own container process, it was then possible to get a web server to pass its traffic through to ModSecurity's rules processing, allowing it to detect and defend against web threats such as injected content.
Barnett said that Trustwave's commercial interest in the project would allow it to supply virtual patches for rules, IP reputation and malware payload detection as a service to its customers, building on top of the open source base of ModSecurity. The company already has 1400 virtual patches for IIS/ASP/ASP.Net vulnerabilities. Also, where it audits customers and finds web vulnerabilities, if situations are found where they cannot modify the backend code to close the holes, they will now be able to use ModSecurity with appropriate rules, in many more scenarios, to filter incoming attempts to exploit problems.
The code has already been heavily tested, but the developers want to test it on a wider range of systems, which is why it is currently still in a release candidate. The full release should be only weeks away says Barnett. He notes that one advantage of open source is that it allows the community to more easily and freely discuss security issues. With the port of ModSecurity done, the next project the SpiderLabs researchers are looking at is creating a Web Application Firewall servlet for embedding into Apache Tomcat and other Java-based web application servers – but that work is still in its early days.