Security at every level

The series

In the first of our web applications security blog series we discussed a secure process and why it’s crucial for any organisation. The second blog in the series looked at passive security. And in this third and final blog in the series we look at active security.

What is active security?

In a nutshell, active security in web applications could be described as a security system that changes its behaviour based on web traffic analysis over time. By implementing a feedback mechanism, such a security system can block an offender in the network firewall.

Introduction to active security systems

While passive security makes a web stack immune to attacks, an active security system acts in a way that no or very minimal malicious traffic reaches the web application itself. Having an active security system in place brings additional benefits to websites requiring frequent patching, by protecting a vulnerable web application (e.g. Drupal CMS) during the patch window.

Why an active security system is possible

An active security system can be highly efficient since the majority (if not all) web-based attacks and vulnerability exploits uses predefined, known patterns, even though they could target different and various vulnerabilities. The types of attacks could be classified and grouped, making it possible to apply filters — or implement security rules — that are successful against the different classes of attacks.

For example, a malicious file upload attempt may use vulnerabilities in PHP, the web server or the CMS itself — however, the ways to upload such a malicious file are limited and known. This makes it possible to identify and block such an attack at the level above the web application.

Similarly, SQL injection attacks use well-known patterns of submitting online forms and attempting to target web application vulnerabilities, such as the Drupal SA-CORE-2015-003  one. By implementing a security system with SQL injection protection rules, any malicious traffic can be identified and blocked at the network level, before it reaches the web application (even a vulnerable one).

Some statistics and why an active security system is a must have

An active security system is a must have for any web application, considering that the time-to-patch for vulnerabilities represents a window, during which vulnerable websites could be exploited.

According to Symantec’s Internet Security Threat Report (2016), “More than 75 percent of all legitimate websites have unpatched vulnerabilities. Fifteen percent of legitimate websites have vulnerabilities deemed ‘critical,’ which means it takes trivial effort for cybercriminals to gain access and manipulate these sites for their own purposes.”

In my experience of running a functional active security system, protecting web applications that run in isolation (shared hosting stack is harder to protect, but some of the techniques could still be used to improve the security), fairly old web applications were able to withstand various attacks — those targeting vulnerabilities in outdated CMSs — and stay clean over long periods of time. This gave the site owners time to work on upgrading their CMS or migrating their site over to a new, modern web application. For example, Drupal 6 (and even Drupal 5), Joomla 2.x and Wordpress 3.x websites have been running safe and free from data breaches until now.

Immediate benefits of active security systems

Here are a few benefits that a good active security system can offer:

• Attack chain disruption to prevent zero-day attacks

• Web application firewall

• Just-in-time patching system: automatic security rules to protect unpatched systems, and unpatched web applications

• Process monitoring watchdog to ensure critical and security services are always running

• Network-based intrusion prevention system

• Host-based intrusion prevention for event monitoring, file system integrity checking, and rootkit protection

• Effortless spam protection (spam content submission filtering)

• Hardening of PHP, its configuration, checks and server-level overrides for dangerous settings

• Vulnerability scanner, repair and elimination system

• Real-time malware protection, which scans files for malware on access

• Malware and virus uploader scanner

• Hardened secure kernel to protect against rootkits

• Self-learning least privilege role-based access control system

• Brute force attack detection and elimination

• General security hardening (unnecessary services, etc.) and monitoring

• False positive and false negative management

• Malicious bots blocking

• Vendor support and live updates

The main components of active security systems

Let’s review the three main components of active security systems.

1.HIDS — host intrusion detection (and prevention) system

A host intrusion detection system (HIDS) forms the main part of any security system.

According to OSSEC (a multi-platform, open source host-based intrusion detection system), HIDS is an intrusion detection system that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, centralised policy enforcement, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.

2. Web application firewall

A web application firewall (WAF) forms the second main part of any security system. A WAF is a network filter that inspects all web traffic received by your websites. It detects and stops the vast majority of vulnerabilities exploitation attempts at the network or server level so that your website stays safe. A good WAF is a great way to improve the security of any web application. Despite having a good WAF, we still recommend applying the security patches for your web application to enable security at every level. Having a WAF in place gives you extra time to do the web application security patching at a time when it suits you, while protecting your website against the new web application vulnerabilities.

For example, the Symantec Internet Security Threat Report stated that the average time it took for organisations to patch their systems was 55 days, while a Whitehat Security Web Security Statistics Report documented that their customers’ time-to-fix average was 138 days to remediate SQL injection vulnerabilities found in their web applications. Now contrast this patching data with the fact that Symantec also reported that it only took an average of six days for exploit code to be released to the public and it becomes clear that traditional source code patching processes are not adequate. The virtual just-in-time patching provides an immediate solution to protect your web application while the official security patch is being applied.

Some web application firewall vendors offer real-time rules updates, zero-day protection and virtual just-in-time patching security rules.

A WAF processes web server logs to identify malicious traffic, it then uses a feedback mechanism to block the attackers in the firewall, preventing access to websites. A good log analysis software, such as OSSEC, is an example of how host-level intrusion detection can be implemented.

3. Secure kernel

In addition to a WAF, secure kernel offers built-in protection against multiple vulnerabilities, such as Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187) without patching bash binaries. It offers chroot hardening, trusted path execution, and prevents direct userland access by the kernel and many other types of additional protection.

The secure kernel removes the means of executing dangerous commands at the kernel level so that, after the system is booted, no malicious code can run on your server.

The secure kernel has to be implemented at server-level and cannot be running by external network appliances.

Challenges with some active security systems

Not all active security systems are equal. They may have their own challenges and in-house knowledge (or a good support plan) to manage them. Some issues may be:

• Manual management of rules creates maintenance overhead

• False positives and false negatives management

• High licensing costs

• High operational costs

Types of active security systems

Two types of active security systems are a network appliance (external) and a suite of software packages.

Network appliance — external

The advantages of a network appliance (external) are:

• No server resource usage. The appliance runs in its own dedicated hardware and requires access to the datacentre. Some vendors offer a virtualised or containerised equivalent of their hardware-based appliances, which enables organisations to run them in public clouds such as AWS, Azure or Google.

• Offers central web-based console to manage the entire datacentre

The disadvantages are:

• High operational costs

• Upgrades may be difficult, require a support plan or in-house experience

• Lack of protection against many types of attacks requires additional software to run on the physical or virtual servers

• Limited effectiveness of intrusion prevention system

• A higher cost of SSL certificate management

• High onboarding and offboarding costs for web applications

Software suite

A suite of software packages that could reside on your server (or a cluster of servers) internally or externally, typically offered as middleware.

The advantages of a software suite are:

• Low operational costs

• Real-time WAF rules updates via the OS package manager

• Easy security rules management, via configuration files or a web-based console

• High effectiveness of intrusion prevention system

• Low cost of SSL certificate management (unless fully automated, in which case it’s extremely low)

• Most efficient system protection, including the secure kernel, PHP hardening and web application files registry.

The disadvantages are:

• Server (or cluster) resource usage. This is compensated, however, by reduced malicious traffic.

How to select the right security system for your organisation

The right active security system for your organisation may vary based on the use case, number of sites to manage, skillset and other factors. You need to consider the following, before approaching the market:

• How many websites do you need to protect?

• Are they co-hosted or isolated?

• Do you run them in physical servers, VPS or containers?

• Do you plan to manage the protection rules internally, or prefer the vendor to manage them for you?

• Do you host your web applications on-premise or in a cloud?

• What types of attacks do you require protection from?

Let me cover a few typical use cases and solutions to implement an active security system.

Hardware appliances

To protect thousands of websites, hardware appliances may be the best option. They feature dedicated hardware for high-performance traffic filtering and logging, but may require an in-house team to manage. Hardware appliances use the web-based interface to create and manage rules.

A few well known WAF appliances are:

• Citrix Netscaler WAF: https://www.citrix.com.au/products/citrix-web-app-firewall/

• F5 Networks WAF: https://www.f5.com/services/resources/glossary/web-application-firewall

Hardware appliances are complex to manage, compared to software-based security systems.

Cloud-based WAF

If you use a cloud provider to host web applications, a cloud-based WAF may be the right choice for you. Similar to the hardware appliances, it offers a web-based interface to create and manage rules. Management complexity and requirements are similar to the hardware appliances.

An example of a cloud-based WAF is:

• AWS WAF: https://aws.amazon.com/waf/

Managed WAF

A managed WAF is a good option for organisations looking to offload WAF managed tasks to the WAF creator/vendor. The main problem is that most of the managed WAF providers offer subscription-based levels of security, where you get as much security as you pay for. The highest subscription level usually offers the best value for money but could challenge the affordability of such security for some websites.

Some of the managed security providers are:

• CloudFlare: https://www.cloudflare.com/en-au/waf/

• Akamai: https://www.akamai.com/us/en/resources/waf.jsp

• Sucuri: https://sucuri.net/website-firewall/stop-website-attacks-and-hacks

Software security systems

Aka middleware, this type of security system usually offers the best value for money. Fixed license fee, and a per-server application may cover an unlimited number of sites running there. Some software security systems may be difficult to manage with a large number of VPS-isolated web applications. Usually, the software-based security systems offer more than just a WAF, including other types of security such as kernel rootkit protection, PHP hardening and shell protection.

Some examples of software-based security systems:

• ASL: https://www.atomicorp.com/atomic-secured-iot-kernel/ — a good all-in-one self-updating, self-healing, fully featured security system. Licensed per server, offers a Docker image. Easy to use and manage. Could be installed on a physical server, VPS or Kubernetes cluster.

• Comodo WAF: https://waf.comodo.com/ — free, but offers WAF only. Could be installed on a physical server or a VPS.

The real security is security at every level

The reality is, you need security at every level. By implementing the secure processes outlined in Part 1 of this blog series, combined with the best practices in passive security in web applications, outlined in Part 2, strengthened by a good active security system as reviewed in this blog, a very secure web application can be achieved. When setting up web application security, I always focus on all three levels to ensure the best possible security for clients’ websites.

Please note, that based on the value of some web applications to attackers, techniques and systems reviewed in this blog may require additional security implementation.