Requirements for web applications firewalls

Authors

  • Artem Zhylin Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv,, Ukraine http://orcid.org/0000-0002-4959-612X
  • Dmytro Parfeniuk State centre of cyberdefence of State service of special communication and information protection of Ukraine, Kyiv,, Ukraine http://orcid.org/0000-0002-9255-9340
  • Sergii Mitin Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv,, Ukraine http://orcid.org/0000-0002-4936-2569

DOI:

https://doi.org/10.20535/2411-1031.2020.8.2.222603

Keywords:

web applications, firewall, requirement, comprehensive information security system, security suite, OWASP ModSecurity

Abstract

Domestic and foreign regulations related to the protection of web applications are analyzed. It is established that the requirements for its individual means of protection should be taken into account when developing a comprehensive information protection system. The most effective of the elements of the complex of means of protection for automated systems of class 2 and 3, on which web servers operate is the firewall of web applications, which is not required in open sources. Therefore, the development of such requirements is an urgent and urgent problem, the solution of which will simplify the development of a comprehensive information security system. Based on the relevance of the results of the work are the requirements for firewalls of web applications. One of the few open sources that allows you to implement such a component of a comprehensive information security system as the firewall of web applications is a list of rules from MITRE and the open project to ensure the security of web applications OWASP. However, these rules do not implement the developed requirements, so in addition, proposed and implemented rules for filtering the firewalls of web applications that meet them. The technique of their check on conformity to the established requirements is formed. Based on such utilities as Metasploit FW, nikto, dirb, wafninja, a software application has been developed that implements this technique. It has a direct link to the CVE database, which allows you to detect and check for current vulnerabilities. OWASP ModSecurity is used as a security component, the source code of which is located on official repositories and operates on the basis of the nginx web server. The capabilities of ModSecurity are enhanced by a developed dynamic connector that allows you to use the firewall of web applications as a separate means of protecting information. Certain filtering rules are implemented in the developed protection tool. This satisfies the requirements for a set of security features in a comprehensive information security system such as continuous protection of computer systems and a modular structure.

Author Biographies

Artem Zhylin, Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv,

candidate of technical sciences,
associate professor at the cybersecurity
and application of information systems
and technologies academic department

Dmytro Parfeniuk, State centre of cyberdefence of State service of special communication and information protection of Ukraine, Kyiv,

engineer

Sergii Mitin, Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv,

senior lecturer at the cybersecurity
and application of information
systems and technologies academic
department

References

K. Demertzis, and L. Iliadis, “Cognitive Web Application Firewall to Critical Infrastructures Protection from Phishing Attacks”, Journal of Computations & Modelling, vol. 9, no. 2, рp. 1-26, 2019.

D. Appelt, A. Panichella, and L. Briand, “Automatically Repairing Web Application Firewalls Based on Successful SQL Injection Attacks”, in Proc. IEEE 28th International Symposium on Software Reliability Engineering (ISSRE), Toulouse, pp. 339-350, 2017, doi: https://doi.org/10.1109/ISSRE.2017.28.

A. M. Hasan, D. T. Meva, A. K. Roy, and J. Doshi, “Perusal of web application security approach”, in Proc. International conference on intelligent communication and computational techniques (ICCT), pp. 90-95, 2017, doi: https://doi.org/10.1109/INTELCCT.2017.8324026.

International Organization for Standardization. (2018, Febr. 07). ISO/IEC 27000, Information technology. Security techniques. Information security management systems. Overview and vocabulary. Requirements. [Online]. Available: https://www.iso.org/ru/standard/73906.html. Accessed on: Sept. 10, 2020.

International Organization for Standardization. (2013, Okt. 1). ISO/IEC 27001, Information technology. Information security management systems. Requirements. [Online]. Available: https://www.iso.org/standard/54534.html. Accessed on: Sept. 10, 2020.

International Organization for Standardization. (2013, Sept. 25). ISO/IEC 27002, Information technology. Security techniques. Code of practice for information security controls. Technical Corrigendum 2. [Online]. Available: https://www.iso.org/ru/standard/69379.html. Accessed on: Sept. 10, 2020.

International Organization for Standardization. (2012, Jul. 16). ISO/IEC 27032, Information technology. Security techniques. Guidelines for cybersecurity. [Online]. Available: https://www.iso.org/ru/standard/44375.html. Accessed on: Sept. 10, 2020.

International Organization for Standardization. (2015, Okt. 10). ISO/IEC 27033-1, Information technology. Security techniques. Network security. [Online]. Available: https://www.iso.org/ru/standard/63461.html. Accessed on: Sept. 10, 2020.

International Organization for Standardization. (2016, Okt. 28). ISO/IEC 27035-1, Information technology. Security techniques. Information security incident management. [Online]. Available: https://www.iso.org/ru/standard/60803.html. Accessed on: Sept. 10, 2020.

International Organization for Standardization. (2009, Dec. 09). ISO/IEC 15408, Information technology. Security techniques. Evaluation criteria for IT security. [Online]. Available: https://www.iso.org/ru/standard/50341.html. Accessed on: Sept. 10, 2020.

DSTSIP SS of Ukraine. (1999, Apr. 28). ND TZIІ, 2.5-004-99 Criteria for assessing the security of information in computer systems from unauthorized access. [Online]. Available: https://tzi.ua. Accessed on: Sept. 25, 2020.

DSTSIP SS of Ukraine. (1999, Apr. 28). ND TZIІ 2.5-005-99, Classification of automated systems and standard functional profiles of protection of processed information from unauthorized access. [Online]. Available: https://tzi.ua. Accessed on: Sept. 25, 2020.

DSTSIP SS of Ukraine. (2003, Apr. 03). ND TZIІ 2.5-010-03, Requirements to protect the WEB-page from unauthorized access. [Online]. Available: https://tzi.com.ua. Accessed on: Sept. 25, 2020.

DSTSIP SS of Ukraine. (2005, Nov. 8). ND TZIІ 3.7-003, The procedure for creating a comprehensive information security system in the information and telecommunications system. [Online]. Available: http://www.dsszzi.gov.ua. Accessed on: Aug. 25, 2020.

National Institute of Standards and Technology. (2007, Aug. 7). NIST Special Publication 800-95, Guide to Secure Web Services. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-95.pdf. Accessed on: Sept. 10, 2020.

ICSAlabs (2018, Feb. 23) WAF Criteria V2.1 Document V2.4, 2016. [Online]: Available: https://www.ptsecurity.com/upload/corporate/ww-en/products/documents/af/PTSecurity-PTAF-WAF-Report-180223.pdf. Accessed on: Sept. 10, 2020.

BSI S 5.169 System architecture of a web application. [Online]: Available: https://enos.itcollege.ee/~valdo/bsieng/en/gstoolhtml/m/m05/m05169.html. Accessed on: Sept. 10, 2020.

F. Memon, O. Garrett and M. Pleshakov, Modsecurity 3.0 & NGINX: Quick Start Guide. NGINX, Inc 2018.

I. Ristic, Modsecurity handbook. Feisty Duck, 2010.

ModSecurity data formats. Component table [Online]. Available: https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats. Accessed on: Aug. 25,2020.

Published

2020-12-30

How to Cite

Zhylin, A., Parfeniuk, D., & Mitin, S. (2020). Requirements for web applications firewalls. Information Technology and Security, 8(2), 177–190. https://doi.org/10.20535/2411-1031.2020.8.2.222603

Issue

Section

NETWORK AND APPLICATION SECURITY