A result of their acquisition of Thinkingstone in September of 2006, Breach Security's ModSecurity is an open source offering that provides targeted security for attacks on Web applications. Specifically, the software works in conjunction with the Apache Web server and offers the ability to monitor Web traffic to and from the server for various types of security breaches, including information leaks, malicious activities, PCI DSS compliance, OWASP Top 10 vulnerabilities, and more. Breach Security continues to support the open source version of ModSecurity, while additionally offering an appliance-based version of the firewall as well as a management appliance with the ability to aggregate data from multiple firewalls (be they open source of appliance-based).

ModSecurity is designed to be embedded within and protect the Apache Web server; however, it is also capable of Apache-based reverse-proxy deployments, in which case it is deployed in front of a server farm and provides protection by monitoring traffic to and from the farm in general. In this scenario, the individual Web servers of the farm needn't all be Apache based; and indeed, Breach Security notes that the included rule sets of their ModSecurity appliances (which are deployed as transparent bridges or reverse proxies in front of the farm) include platform-specific protection for IIS, PHP, ASP, ASP.NET, and other environments. Integration with the open source ClamAV product provides additional anti-virus protection for file uploads through the servers.

ModSecurity boasts multiple protective features for Web applications, including extended HTTP Traffic Logging (including the contents of POST requests), real-time HTTP traffic inspection for potential attacks, and the ability to apply "Just in time" patching for known vulnerabilities--recognizing known attacks and/or exploits and modifying HTTP traffic to avoid those exploits until the back end servers themselves can be properly patched. Both Negative (monitoring for suspicious and/or anomalous behavior) and Positive (accepting only valid requests and rejecting all others) security models are supported.

A key feature of the ModSecurity platform is its support for rules-based processing, including a defined rule-language and engine that enable rule programming for analysis of HTTP transaction data. The vendor offers pre-packaged rule sets to deal with multiple compliance-related and targeted vulnerabilities; rules can be activated as needed on a per-Web-application basis.

The appliance version of the product is the ModSecurity Pro M1100, which includes the ModSecurity software running over a hardened Linux OS. Features include Web-based alerting, analysis, and reporting; and optional support for HA configurations where dual M1100's can be deployed such that the second device can take over should the primary device fail. For single appliance deployments, an embedded bypass card enables traffic to continue flowing (albeit unprotected) to the servers if the appliance itself should fail (fail-open protection).

Also available from the vendor is the ModSecurity Management Appliance, with the ability to monitor and manage multiple (up to 50) ModSecurity deployments--both open source or appliance-based--with aggregated auditing, reporting, event analysis, etc.

The ModSecurity Product line is available now; the ModSecurity Pro M1100 is priced at $12,995.

Contact Breach Security for further information.

product submission by EITPlanet Staff

E-Mail this page to a colleague
send info about ModSecurity

Suggest a link
for the ModSecurity fact sheet