Insight into Web Application Firewalls - Part 1

balaji
By balaji

August 19, 2009

This article sheds some light on some of the important concepts pertaining to Web Application Firewalls (WAF). This is the first of the two articles in the series. In the first part we have introduced WAF to our readers. We have also looked at the Mod_Security Apache module as an example of WAF. Here, we would discuss the detail implementation of Mod Security Apache Module, while configuring connectivity between Apache Webserver and Tomcat container. We would also look at the installation of Mod_Security module on Apache.

insight-into-waf-p1.jpg

This article sheds some light on some of the important concepts pertaining to Web Application Firewalls (WAF). This is the first of the two articles in the series. In the first part we have introduced WAF to our readers. We have also looked at the Mod_Security Apache module as an example of WAF. Here, we would discuss the detail implementation of Mod Security Apache Module, while configuring connectivity between Apache Webserver and Tomcat container. We would also look at the installation of Mod_Security module on Apache.

The second article explains the WAF configuration rules to filter the HTTP traffic.

What is a Web Application Firewall (WAF)?

In simple terms, a Web Application Firewall (WAF) can be defined as an appliance, server module or a filter that imposes a set of rules to HTTP traffic. The rules include signatures to detect some of the common attacks, such as Cross Site Scripting (XSS), SQL Injections and Parameter Manipulation Attack.

WAF is an intermediary device, which sits in front of Webserver and filters out layer 7 traffic. WAF could be a software or hardware appliance that can be installed in an environment with little or no infrastructural changes. WAF can provide protection to Webservers even if the Web application has no in-built secure code.

Why WAF?

Or even a better one: "Why do I need a WAF, when I already have IDS and IPS in place?" Well, the answer is quite obvious - IDS and IPS provide passive detection, but WAF provides active detection and prevention. In the following sections, we see how active detection and prevention can be achieved with Mod Security.

Mod Security

Mod Security is a WAF solution for Apache Webservers. Basically, Mod Security is a module for Apache Webserver (Note: It is not an Apache Tomcat Webserver) and it needs to be configured with Apache HTTP Server. Mod Security provides the framework where Web administrators can create rules to monitor and restrict the HTTP traffic.

Steps to connect Apache with Tomcat

Apache Webserver can run only HTML or static Web pages. Tomcat Webservers should be used to run dynamic pages. It's useless to protect an Apache HTTP server, which doesn't host any dynamic page.

There are some good techniques to connect Apache HTTP server and Tomcat server. The idea is to listen to HTTP or static pages on Apache server and redirect JSP or Servlet requests to Tomcat server. It has already enhanced a layer of security by putting more than one server between the Tomcat and the end-user.

Performing a DOS attack on the Webserver leads to a strike or a hit on the Apache HTTP Server.

Even if the Apache server goes down, it would still be easy in bringing up the Website as the Apache server was only hosting static pages. Having the Apache server before Tomcat server in fact helps in fine-tuning the performance as both the servers share the load.

The steps to connect Apache Webserver and Tomcat are listed below:

JKconnector is used to connect Apache with tomcat. JKconnector can be downloaded from the Apache site. The main purpose of it is to get JSP and servlet to run on port 80 rather than setting Tomcat to run on port 80. Thus, connector acts as a conduit between the two.

Step 1: The downloaded file mod_jk must be put in the Apache2.2modules folder. The downloaded file should be renamed as mod_jk.

Step 2: Edit httpd.conf located in Apache2.2conf. This is done to load the jk connector at the run time with some of the following commands:

<IfModule !mod_jk.c>
LoadModule jk_module modules/mod_jk.so
// tells Apache to load the mod_jk module
</IfModule>

Step 3: Edit tomcat configuration file (Server.xml) and add following code just below

&lt; Server port=&quot;8005&quot; shutdown=&quot;SHUTDOWN&quot; debug=&quot;0&quot;&gt;
<Listener className="org.apache.jk.config.ApacheConfig"
modJk="C:/Program Files/Apache Software
Foundation/Apache2.2/modules/mod_jk.so" />

Next, look for the code below in the server.xml file:

<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false" debug="0">

Once the above parameters are found, add the following code below it:

<Listener className="org.apache.jk.config.ApacheConfig"
append="true" forwardAll="false" modJk="C:/Program Files/Apache
Software Foundation/Apache2.2/modules/mod_jk.so" />

By adding the two listener elements in the server.xml, we are making the Tomcat automatically generate the necessary Apache configuration directives for Mod_jk. Now we don't have to generate those directives manually.

Step 4: After saving the changes made in the server.xml, restart the Tomcat services. Subsequently, check for a file called mod_jk.conf in the Tomcat 5.5confauto.

Step 5: There is a concept of worker in Apache module to Send and Receive information to the Tomcat. Hence, we need to create workers.properties file, which has location information of the Tomcat and the port to be used. We are putting this workers.properties file in Apache2.2conf. Accordingly, the path of workers.properties file has to be specified in the httpd.conf as mentioned in step 3 commands.

Following lines have to be present in the workers.properties file.

worker.list=ajp13
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13

These entries define a Tomcat worker name ajp13 that resides on the same host as the Apache server, localhost listens to port 8009 for a client using the ajp13 protocol (it is a packet based protocol that allows a Webserver to communicate with the Tomcat jsp/servlet container over a tcp connection and has a better support for ssl).

Step 6: Again edit httpd.conf file located in Apache2.2conf and put below code right after the code we have entered in step 2.

<IfModule !mod_jk.c>
LoadModule jk_module modules/mod_jk.so
// tells Apache to load the mod_jk module
JkWorkersFile "conf/workers.properties"
//tells the location of properties file
JkLogFile "logs/mod_jk.log"
JkLogLevel error
JkMount /jsp-examples ajp13
JkMount /jsp-examples/* ajp13
JkMount /Application ajp13
JkMount /Application/* ajp13
</IfModule>

Jkmount directive /Application/* suggests Apache that all requests to be rerouted and serviced by the worker named ajp13. One can also specify patterns instead of * (all). For example /Application/.jsp will allow only .jsp pages to be run on the Apache server.

The Tomcat server needs to be started first followed by the Apache Webserver. Application should be hosted on the Tomcat server (which is running on port 80) and the request would be sent to Apache and then redirected to the Tomcat server.

Steps to Install modsecurity

To install the modesecurity, create .../apache2/modules/mod_security2 folder and copy mod_security2.so and libxml2.dll to this folder.

Add to httpd.conf file:

LoadModule security2_module modules/mod_security2/mod_security2.so 

This article spoke about the WAF, Modesecurity and the procedure to connect Apache with Tomcat Webserver. In the next part of the series we shall discuss on how to configure rules in modsecurity to protect Webservers.


Tags: Technical

About

balaji

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset