mod-security-users

[mod-security-users] Positive Security Model

[Alexx A. <zm...@ya...>]

My question is addressed to the author of the
mod_security. Some time ago I read in your blog, that
your are intrested in idea of including positive
security model ito your mod_security module. Are you
going to implement this somewhen? OR, perhaps, it's
already implemented? 
I'm rather intrested of positive security model and
I'd like to clarify wheter it's possible to include
into your application!

Thanks in advance, 
Alexander

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: [mod-security-users] Positive Security Model

[Edy <em...@ed...>]

How is the performance of the Mod Security right now? From the way i 
look at it right now it is based on rules which essentially is negative 
security. I believe the chances of false positive is fairly high with 
this approach and performance could be a hit if we have a long list of 
rules.

Also on the website, it stated that the modsecurity can be configured as 
stand alone WAF but i did not see any package/document which describe 
this process.

Cheers,
-e

Alexx Alexx wrote:
> My question is addressed to the author of the
> mod_security. Some time ago I read in your blog, that
> your are intrested in idea of including positive
> security model ito your mod_security module. Are you
> going to implement this somewhen? OR, perhaps, it's
> already implemented? 
> I'm rather intrested of positive security model and
> I'd like to clarify wheter it's possible to include
> into your application!
>
> Thanks in advance, 
> Alexander
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
>
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>
>   

Re: [mod-security-users] Positive Security Model

[Ivan R. <iva...@gm...>]

On 5/25/06, Edy <em...@ed...> wrote:
> How is the performance of the Mod Security right now?

Under 1 msec per request running the Certified Rule Set (similar to
what's available for free) on modest hardware. On the same modest
hardware but installed on a reverse proxy it can achieve 1500 request
per second with latency under 1 msec. You can achieve many times
better performance with more powerful hardware (e.g. T1000/T2000). I
hope to do a test with T1000 in the next couple of months.


> From the way i
> look at it right now it is based on rules which essentially is negative
> security.

It supports both models. But positive security rules sets are
difficult to write manually.


> I believe the chances of false positive is fairly high with
> this approach and performance could be a hit if we have a long list of
> rules.

Depends on the application...


> Also on the website, it stated that the modsecurity can be configured as
> stand alone WAF but i did not see any package/document which describe
> this process.

Just configure Apache to work as a reverse proxy and you're done.

--=20
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] Positive Security Model

[Ivan R. <iva...@gm...>]

On 5/25/06, Alexx Alexx <zm...@ya...> wrote:
> My question is addressed to the author of the
> mod_security. Some time ago I read in your blog, that
> your are intrested in idea of including positive
> security model ito your mod_security module. Are you
> going to implement this somewhen?

I am, but the feature didn't make it to v2.0 due to time constraints.
But it's now on the top of the list. I decided to leave positive
security out because it needs interactivity in order to work properly
and the management GUI is not going to be ready for a couple of more
months.


> OR, perhaps, it's
> already implemented?
> I'm rather intrested of positive security model and
> I'd like to clarify wheter it's possible to include
> into your application!

It's possible to manually write the rules but that's somewhat
hard/boring/time consuming to do.

--=20
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall