Book Reviews: Security

The security section at ApacheTutor currently offers reviews of leading books in the area of security with Apache. It may offer additional articles in future.

Several books on the subject of security with Apache are available. This review compares the most up-to-date of these:

Both of these have got good reviews elsewhere, and are worth reading if you're responsible for running a server. In reviewing them, I should also mention a third book which I haven't read but which has been well-received elsewhere:

Executive Summary

Barnett is insightful on the Big Picture. He is chief of security at a big software and services company, and his book is in essence an apprenticeship to that job. Ristic is more of the classic textbook, and is the more thorough and comprehensive of the two if you're looking for a reference manual.

If your job is to run servers, keep the Ristic always to hand. If you're managing people who run servers, get both and read the Barnett yourself.

Ryan Barnett: Preventing Web Attacks with Apache

Barnett is chief of security at EDS, and project lead for the Apache security benchmark at the Center of Internet Security. His book is in essence an apprenticeship, taking in the tools, techniques and thought processes involved in his job.

For a techie book, this is very, very readable. Barnett's writing engages the reader, and guides you to think secure. He is a disciple of Sun Tzu (who he even mentions by name), and exhorts you to know the enemy. He makes great use of anecdotes to bring his points home. If you find it hard to motivate yourself to read techie books, this one will make a pleasant change. On the downside, the technical detail is rather patchy. In parts it's excellent, but there are also omissions and inaccuracies I find alarming. There are matters of detail in which I would firmly disagree with his recommendations, particularly where they have very severe performance implications (which he doesn't discuss at all).

The areas where Barnett offers more than Ristic focus on "Big Picture" insights, such as running a "honeypot" to gather intelligence on the threats active on the Web.

This article about filtering information leaks gives a feel for both what's good and bad about this book.

Chapters

  1. The issues we have to deal with. This is well-presented and benefits from his writing style.
  2. Hardening the platform. Mostly good, but not comprehensive.
  3. Downloading and Installing Apache. Covers the basics, but fails to explain the crucial role of PGP.
  4. Configuring httpd.conf. Covers the basics well, but some of his recommendations are unusual.
  5. Security modules. mod_ssl, mod_rewrite, mod_log_forensic, mod_dosevasive, mod_security. A good chapter and excellent on mod_ssl - and why SSL does not make a secure site. Very enthusiastic on mod_security.
  6. The CIS Apache Benchmark tool. He presents a tool and sample output, but doesn't discuss the implications of the warnings issued by the tool.
  7. WASC web security threat classification. The Web Application Security Consortium enumerates and classifies threats to a webserver. This useful chapter presents an exhaustive list of threat types, together with countermeasures available to an Apache admin.
  8. Protecting a buggy application. Training for security professionals includes practical sessions with web applications known to be buggy. You can be either attacking or defending the application, and it's a controlled simulation of the real-life job. This chapter describes attacking and defending a buggy application, and illustrates both what's right and wrong with this book. The information he gains as an attacker from innocuous-looking bugs is a real eye-opener. But his remedies are nasty hacks and almost as scary as the bugs!
  9. Firewalls, Web Application Firewalls, Intrusion Detection systems. Barnett explains why firewalls and IDS offer little protection, and moves on to Web Application Firewalls, including mod_security hands-on.
  10. Open proxy honeypot. Barnett describes deploying a web honeypot, to gather real-time information on the threats he's dealing with. This presents a very practical approach to knowing your enemy, and being in a position to react promptly when a threat arises.
  11. Putting it all together. Takes a scenario from his regular job, and applies techniques from the book "for real". Then moves on to miscellaneous/unrelated topics.

Ivan Ristic: Apache Security

Ristic's principal claim to fame in the area is mod_security, the market-leader in web application firewalls, and the only open-source product in its class. In September 2006, Ristic's company Thinking Stone was acquired by Breach Security, Inc, with whom Ristic took up a senior position.

Ristic writes very well, though I find his style dryer and less engaging than Barnett's. As a manual, Ristic is the more thorough of the two by a clear margin, both in range of core server administration topics and depth of technical detail. Topics Ristic covers on which Barnett says little or nothing include:

Ristic, like Barnett, puts security ahead of performance. He does discuss performance issues, but it is not his strongest point. My main reservation there is in his coverage of mod_security. Using mod_security to scan and processes HTTP headers and log suspect events is cheap. But scanning incoming or outgoing bodies with it gets very, very expensive as the size grows. Neither author is clear on this important distinction.

Chapters

  1. A brief look at the principles of security: what needs to be accomplished. The remainder of the book describes how to accomplish it.
  2. Installation and configuration.
  3. Setting up PHP for security.
  4. Cryptography, starting with an exposition of the theory, and moving on to applying it in Apache.
  5. Denial of Service attacks, and how to mitigate them.
  6. Configuring a server for multiple users, as in a hosting company.
  7. Apache's access control mechanisms. This chapter is now in part outdated, so it will have to be taken in conjunction with Apache's own manual.
  8. Logging, starting with details of Apache's standard logging, then moves on to techniques for logging more information to detect threats, and managing large volumes of data. In a rather serious error, he advocates contravening the HTTP standard in the interests of logging.
  9. Infrastructure - describes hardening the platform and environment, continuing from Chapter 2.
  10. Web application security. It presents the range of threats, with suggestions for dealing with them.
  11. Web security assessment.
  12. Web intrusion detection, including an extended manual for mod_security.

Ristic also has one appendix, in which he briefly introduces a number of tools that may be of interest. Nicely written, with just enough description of each tool to motivate you to try it!

Articles