/ Zope / Apsis / Pound Mailing List / Archive / 2005 / 2005-10 / Simple security features in pound

[ << ] [ >> ]

[ WebDAV configuration not working thru pound / ... ] [ pound solution to CAN-2005-2088 - HTTP Response ... ]

Simple security features in pound
FX <gentoo(at)sbcglobal.net>		 2005-10-15 21:28:38 [ FULL ] 
I agree with the philosophy of keeping pound as simple as possible.  Yet 
sometimes, we find features that are a match made in heaven--a perfect 
fit for pound.  I believe some (not all) of the features of mod_evasive 
and mod_security should be examined to see if we can pick out those 
which are: small, easy-to-implement, and highly desirable additions to 
pound.

Note that firewalls are limited by the fact that they cannot parse the 
content of HTTPS connections.  And we already have at least one 
mod_security feature in pound.

For example, pound already has "CheckURL 1" feature which is similar to 
the following in mod_security:

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

And it probably (I'm guessing) wouldn't be too difficult to migrate the 
following mod_security feature into pound:

    # Only allow bytes from this range
    SecFilterForceByteRange 32 126

By filtering out byte ranges (showing a 5xx error page instead of 
sending to backend), we're able to make it exceedingly difficult (or 
impossible) for buffer overflow attacks execute meaningful machine-code 
instructions on the backend.

Although I focused on mod_security, I believe the features of 
mod_evasive are even more well-suited for migration into pound.  
mod_evasive parses the HTTP request and determines if a page/resource is 
being repeated requested via script rather than normal human interaction 
with a browser (something firewalls cannot do because of HTTPS).  For 
people using pound, it would be fantastic to stop such activities 
without generating traffic to the backends.

Another benefit of having this in pound, rather than as web server 
modules is that it enables us to use different web servers for the 
backend.  We might want to use thttpd to serve up images but don't want 
to lose the benefits of mod_evasive & mod_security.  We might want to 
use Lighttpd to serve up sites using RubyOnRails because Apache is way 
to slow for that scenario.  And so on...

In summary, I believe we can have our cake and eat it too. Pound can 
remain simple if we carefully pick and choose features from mod_evasive 
and mod_security that are small & easy-to-implement & worthwhile.  
SecFilterForceByteRange is a good example.

See the following Apache modules for more info:

mod_evasive (formerly known as mod_dosevasive)
http://www.nuclearelephant.com/projects/mod_evasive/

mod_security
http://www.modsecurity.org/
MailBoxer