Concepts and Theory of Operations

 Top

mod_parmguard is an Apache Module that acts as a kind of Level-7 Firewall: it analyzes the Script Parameters and blocks Requests with unexpected contents.

 Quoting Tony Mobily book (to be published):

"Securing an Apache server that manages static pages and has no user input what so ever is relatively simple: keeping it updated, configuring it well, and making sure that you have a good policy to manage log files will be enough most of the time.

Unfortunately, it is very rare to find such a server serving a web site of any significance [...]

Dynamic content of any kind often represents the Achilles' heel of a web server; frequently, the problem is the user input, which can be maliciously configured to crash your dynamic pages or to gain information about your system.

Also, people who write dynamic web pages are not software engineers (at least in most cases). If there is a way to write robust applications, they don't seem to be aware of it. [...]

For this reason, they are allocated very little development time (if any), and they don't get tested properly. The result is that many scripts (and therefore your Apache) are vulnerable.

Most of the problems with dynamic pages come when the user sends an unexpected parameter from a form.

Authors of dynamic pages should carefully check all the input, but unfortunately this very rarely happens. Mod_parmguard is a very intelligent, "global" solution to such a problem".

Tony Mobily


 The mod_parmguard package is made up of the following components (see the diagram below):

ComponentDescription
XML Conf.File Describes the constraints that must apply to Script Parameters.
Parameters can be checked against Predefined Types (integer, enum, string...), User-Defined Types (currency, price, date...) and their Values (min/max values, string length...).
The Configuration File also contains global parameters that describe the module default behaviour.
mod_parmguard
.dtd
The simple DTD that describes the XML Configuration File Syntax.
mod_parmguard Apache module (1.x and 2.x compatible) that intercepts the GET and POST HTTP requests and checks the Script Parameters Constraints, described in the XML Conf. File, are respected.
Depending on the configuration, Requests can be rejected, or accepted. Errors can be logged and/or Environment Variables can be set...
Parmguard Generator (made of two Perl scripts: htmlspider.pl and confmerger.pl)
Automated tools that helps the Administrator building the XML Conf. files !

mod_parmguard Architecture Overview


www.trickytools.com