blog.Resource

Archive:

News-Feeds:


RSS 2.0
RSS 0.91
RDF
ATOM 0.3
August 13, 2009

WAF blacklist rules - an idea to follow?

By: Michael Stucki on behalf of the TYPO3 Security Team

The TYPO3 Security Team intends to provide WAF blacklist rules to protect against known vulnerabilities in TYPO3 Core and TYPO3 third-party extensions.

Source: openclipart.org

In the past, we've seen that TYPO3 hosters or TYPO3 agencies are not able to react on TYPO3 bulletins as quickly as necessary. Either they leave customers alone with their need to patch themselves or instantly upgrade their customers installations with the risk that something breaks afterwards.

In 2007, TYPO3 Security Team member Lars E. D. Jensen came up with an idea to provide Web Application Firewall (WAF) rules using ModSecurity. ModSecurity is an Open Source Web Application Firewall and operates as Apache web server module. It allows filtering and logging of requests based on configured rules. If there's a malicious payload with the request, you might stop further processing.

ModSecurity is certainly not the only available Open Source Web Application Firewall. In the recent history, PHPIDS has a growing userbase and also allows to configure blacklists.

Unfortunately, this TYPO3 project hasn't attracted that much attention. We now would like to revive this project and hereby present our ideas which we believe will help to keep TYPO3 installations protected against exploits.

The TYPO3 Security Team might provide WAF blacklist rules which address exactely those vulnerabilities that have been fixed with security updates and are published in form of a TYPO3 bulletin. Of course, this would be mainly interesting for companies (hosters, agencies) that maintain lots of TYPO3 installations.

However, providing such WAF rules creates an additional workflow. Additionally to the issue handling and publishing process, the TYPO3 Security Team would need to create and test these rules. This would only be possible if the rulesets are published on a subscription basis (like a monthly fee).

As of now, we are unsure which Web Application Firewall needs to be supported to cover the majority of TYPO3 installations. So far, ModSecurity and PHPIDS Web Application Firewalls came to our mind.

Now it's your turn. We are curious to hear your opinions.

  • Are you generally interested in this WAF project?
  • Are you willing to spend money on it?
  • What's your favourite subscription method? (payments per timeframe, per TYPO3 bulletin, per deployed WAFs)
  • What Web Application Firewall would you like us to support?

Your comments are welcome! Comment either below this posting, use the WAF project mailing list or send us an email to security(at)typo3.org!

Thank you in advance,
your TYPO3 Security Team.


comments

comment #1
Gravatar: Fabien Udriot Fabien Udriot August 14, 2009 10:13
ModSecurity? PHPIDS?

Which solution offers the best ratio in term of performance / ease to install / ease to maintain / efficiency. It would be interesting to get some info about that (and summarize up the data in form of a matrix?).

There is a discussion about PHPIDS performance here: http://tr.im/wnN4

# Are you generally interested in this WAF project?
# Are you willing to spend money on it?
I think yes. When it concerns security, customers are (almost) always ready to spend money if they can feel the benefit. In our case, it will be possible to spread out the money among our clients.

Xavier Perseguers hold a talk about the topic at the Swiss TUG. He presented an implementation of mod_security and Suhosin with TYPO3.

Here is the direct link to the presentation: http://gallery.eventserver.ch/p00152/player.php?movie=22

comment #2
Gravatar: Patrick Patrick August 17, 2009 23:08
At first "ease of installation" and "installation universality" tends to point to PHPIDS since it's not bound to Apache.

Putting effort on mod_security means: No Windows/IIS, no Nginx, no Lighttpd.

Then come 2 questions:
1. How performance is affected (PHPIDS/modsecurity) ?
2. Are efforts the same for initial coding AND maintenance ?

Once those 3 points are known, a clear decision can be made.

Why this was not asked in DEVlist ?

Patrick


Sorry, comments are closed for this post.