There are two main open-source web firewalls: ModSecurity and IronBee. Ivan Ristic has been involved in both. He first started work on ModSecurity some ten years ago and was soon joined by Ryan Barnett. There was an early decision to create a server plug-in, and they chose Apache, the most widely used web server at the time. The idea was that Apache would do all of the heavy lifting, while ModSecurity could just concentrate on the detection.
A few years later the rights to ModSecurity were acquired by Breach Security. Ristic had moved on, but Barnett stayed with the project. A few years after that, Breach Security and Ryan Barnett were acquired by Trustwave. ModSecurity remains free and open source, but the project is now managed by Trustwave.
More specifically, it remains managed by Barnett who now heads the Trustwave SpiderLabs web server security team (better known as the WAF team – web app firewall). Meanwhile, Ristic started to develop an alternative to ModSecurity: IronBee with initial support from Qualys. This time he took a different approach, looking for portability rather than an Apache module. The idea here is that IronBee can be incorporated into any third-party product.
Today, however, Ryan Barnett (supported by Greg Wroblewski from the Microsoft Security Response Center) will be announcing a major enhancement to ModSecurity at Black Hat: it now supports Apache, Microsoft IIS and Nginx. Statistically, this means that ModSecurity is suitable for about 86% of all web servers.
Barnett told Infosecurity that like IronBee, he didn’t want to be tied into a single web server. But rather than redesign from the ground up as with IronBee, he has succeeded in porting the code to IIS and Nginx. “Now we can plug directly into IIS” he explained. “Previously this had to be achieved by putting an Apache reverse proxy in front of IIS – and not all organizations could change their architecture to do this. Now we can embed directly into the IIS server – and Nginx – and protect the users.
“That’s the main news,” he continued. “But in our talk on Wednesday afternoon, what we really want to show is the ‘use case’ – what is this really good for.” It turns out that it is particularly good for virtual patching. Patching in general is essential but problematic – and during the period before a patch becomes available, the threat/vulnerability is a zero-day threat even if it is known. This is the period in which a web server is most vulnerable. Microsoft, as we know, releases its patches once every month on the ‘second Tuesday’. But its MAPP (Microsoft Active Protections Program) gives certain security vendors such as Trustwave early knowledge about the patches. This is where ModSecurity excels. The vulnerability will remain on the underlying code until it is patched, but it becomes an easy and quick solution to provide a virtual patch at the firewall level: the vulnerability is there, but the exploit can’t reach it.
Barnett and Microsoft’s Wroblewski will be explaining this in more detail in a Black Hat talk on Wednesday afternoon, and will be demonstrating the process at Black Hat’s Arsenal Tools on Wednesday and Thursday.