It is assumed that Apache is a more secure web server than its Microsoft counterpart, Internet Information Services (IIS) (read more about IIS security here). Whether this statement is true or not depends on who’s facts you believe, however for the web administrator who is under the impression that Apache on its own is completely secure is in for an unfortunate shock.
Apache, like any software, is susceptible to vulnerabilities. Having the largest share of the web server market makes Apache, and those who use it to power their web sites, vulnerable to the different threats that exist. As cyber criminals have shifted the focus of their attacks from defacement and delinquency to the actual theft of dollars and data, web administrators have to be more vigilant that ever when it comes to securing their web applications, regardless of what server software they are running.
Despite the belief that Apache is more secure than its competitors, the latest version of the software, Apache 2.2, has had 30 known vulnerabilities patched since May of 2002. These vulnerabilities range from giving attackers the ability to coordinate Denial of Service attacks against the server to bring down a web site to opening the door to Cross-Site Scripting (XSS) attacks.
Like any web server, if Apache is not configured properly there is a good chance that it will be open to attackers who use exploits like SQL Injections and PHP File Includes. Since Microsoft’s IIS was marketed to be easier to install, configure, and manage Apache’s developers have made great strides in making their web server a more user friendly product to those who may have shied away from the GNU/Linux shell in the past. However, as the default installation has become easier, it has also become less secure due to unnecessary services being installed. The more services that are running equates to a higher risk of a vulnerability being exploited. If the administrator is unaware of a specific service, then they may not know what to watch for in order to prevent an attack.
Even a web server that is updated with all the latest patches, monitored closely, and configured properly can be compromised by a zero-day attack. When this happens, it can be days before a fix is found and the attacked site could suffer from any number of issues during that time. Unless the web administrator knows what patterns to look for in illicit web traffic and does nothing else but watch this traffic, he or she will not be able to spot this type of attack before it is too late.
While efforts to secure Apache may be high on a web administrator’s priority list, if the applications installed on the server are not treated with the same consideration the site is vulnerable to a number of threats. Some of the more common methods of attack against the most popular web applications are:
Like any server, certain steps need to be taken to harden the operating system against attacks. While malware prevention, Intrusion Detection/Prevention Systems, network firewalls, and all of the other tools and techniques help prevent some attacks, they don’t adequately prevent attacks launched against any third-party applications that have been installed on the server.
Apache’s developers realize the need to protect their product with a web application firewall. In response to security threats that exist users can install a module called mod_security. mod_security is a plug-in that installs a web application firewall on Apache to help protect against certain threats. While in the hands of a security expert mod_security can be a useful tool in the fight to protect a web server, it does require the user to understand how to write complex rules, accept the basic supplied rule set, or purchase rules for a small fee.
dotDefender's unique security approach eliminates the need to learn the specific threats that exist on each web application. The software that runs dotDefender focuses on analyzing the request and the impact it has on the application. Effective web application security is based on three powerful web application security engines: Pattern Recognition, Session Protection and Signature Knowledgebase.
The Pattern Recognition web application security engine employed by dotDefender effectively protects against malicious behavior such as the attacks mentioned above, and many others. The patterns are regular expression-based and designed to efficiently and accurately identify a wide array of application-level attack methods. As a result, dotDefender is characterized by an extremely low false positive rate.
What sets dotDefender apart is that it offers comprehensive protection against threats to web applications while being one of the easiest solutions to use.
In just 10 clicks, a web administrator with no security training can have dotDefender up and running. Its predefined rule set offers out-of-the box protection that can be easily managed through a browser-based interface with virtually no impact on your server or web site’s performance.
Unlike mod_security, dotDefender runs as a Security-as-a-Service solution and is able to provide protection to web servers directly out of the box- whether the admin has an extensive background in security or just a minimal amount of knowledge on the subject.
With the dotDefender web application firewall you can avoid many different threats to web applications because it performs a deep inspection of your HTTP traffic and checks their packets against rules such as to allow or deny protocols, ports, or IP addresses to stop web applications from being exploited. This deep level packet inspection helps to prevent against zero-day attacks as traffic that appears to be illicit can be stopped using the pattern recognition features.
Architected as plug & play software, dotDefender provides optimal out-of-the-box protection against DoS threats, Cross-Site Scripting, SQL Injection attacks, path traversal and many other web attack techniques without the need to perform expert level configurations.
The reasons dotDefender offers such a comprehensive solution to your web application security needs are: