<html> <head> <title>Documentation</title> <link rel="stylesheet" href="style5.css" type="text/css"> <meta http-equiv="Content-Type" content="text/html;"> </head> <body bgcolor="#ffffff"> <table border="0" cellpadding="0" cellspacing="0" width="700"> <!-- fwtable fwsrc="mod_benchmark-manual.png" fwbase="template1.gif" fwstyle="Dreamweaver" fwdocid = "742308039" fwnested="0" --> <tr> <td><img src="images/spacer.gif" width="44" height="1" border="0"></td> <td><img src="images/spacer.gif" width="527" height="1" border="0"></td> <td><img src="images/spacer.gif" width="122" height="1" border="0"></td> <td><img src="images/spacer.gif" width="5" height="1" border="0"></td> <td><img src="images/spacer.gif" width="2" height="1" border="0"></td> <td><img src="images/spacer.gif" width="1" height="1" border="0"></td> </tr> <tr> <td colspan="5"><img name="template1_r1_c1" src="images/template1_r1_c1.gif" width="700" height="21" border="0"></td> <td><img src="images/spacer.gif" width="1" height="21" border="0"></td> </tr> <tr> <td rowspan="4" colspan="2"><img name="template1_r2_c1" src="images/template1_r2_c1.gif" width="571" height="61" border="0"></td> <td><a href="http://www.trickytools.com"><img name="template1_r2_c3" src="images/template1_r2_c3.gif" width="122" height="22" border="0"></a></td> <td rowspan="4" colspan="2"><img name="template1_r2_c4" src="images/template1_r2_c4.gif" width="7" height="61" border="0"></td> <td><img src="images/spacer.gif" width="1" height="22" border="0"></td> </tr> <tr> <td><img name="template1_r3_c3" src="images/template1_r3_c3.gif" width="122" height="4" border="0"></td> <td><img src="images/spacer.gif" width="1" height="4" border="0"></td> </tr> <tr> <td><a href="mailto:contact@trickytools.com"><img name="template1_r4_c3" src="images/template1_r4_c3.gif" width="122" height="22" border="0"></a></td> <td><img src="images/spacer.gif" width="1" height="22" border="0"></td> </tr> <tr> <td><img name="template1_r5_c3" src="images/template1_r5_c3.gif" width="122" height="13" border="0"></td> <td><img src="images/spacer.gif" width="1" height="13" border="0"></td> </tr> <tr> <td background="images/template1_r6_c1.gif" width="44" height="418" border="0"></td> <td colspan="4" valign=top> <table width=100% border=0> <tr><td><h1>Concepts and Theory of Operations</h1></td><td valign=top><img src="images/puce1.gif"><a href="intro.html"> Top</a></td></tr> </table> <p class=texte2> <b>mod_parmguard</b> is an Apache Module that acts as a kind of <i>Level-7 Firewall</i>: it analyzes the Script Parameters and blocks Requests with unexpected contents. </p> <p class=texte2> <img src="images/puce1.gif"> Quoting Tony Mobily book (to be published):<br> <br> "Securing an Apache server that manages static pages and has no user input what so ever is relatively simple: keeping it updated, configuring it well, and making sure that you have a good policy to manage log files will be enough most of the time.<br> <br> Unfortunately, it is very rare to find such a server serving a web site of any significance [...]<br> <br> <b>Dynamic content of any kind often represents the Achilles' heel of a web server</b>; frequently, the problem is the user input, which can be maliciously configured to crash your dynamic pages or to gain information about your system.<br> <br> Also, <b>people who write dynamic web pages are not software engineers (at least in most cases)</b>. If there is a way to write robust applications, they don't seem to be aware of it. [...]<br> <br> For this reason, they are allocated very little development time (if any), and <b>they don't get tested properly</b>. The result is that many scripts (and therefore your Apache) are vulnerable.<br> <br> <b>Most of the problems with dynamic pages come when the user sends an unexpected parameter from a form.</b><br> <br> Authors of dynamic pages should carefully check all the input, but unfortunately this very rarely happens. <b>Mod_parmguard is a very intelligent, "global" solution to such a problem</b>".<br> <br> <i>Tony Mobily</i> </p> <br> <p class=texte2> <img src="images/puce1.gif"> The <b>mod_parmguard</b> package is made up of the following components (see the <a href="#diagram">diagram</a> below):<br> </p> <table cellpadding=3 border=0 width=100%> <tr><td colspan=2><img src="images/sepline.gif" height=1 width=640></td></tr> <tr><td class=texte3 align=center width=20%>Component</td><td class=texte3 align=center width=80%>Description</td></tr> <tr><td colspan=2><img src="images/sepline.gif" height=1 width=640></td></tr> <tr><td class=texte3 width=25% align=center valign=top><b>XML Conf.File</b></td> <td class=texte2 width=75%> Describes the constraints that must apply to Script Parameters.<br> Parameters can be checked against <i>Predefined Types</i> (integer, enum, string...), <i>User-Defined Types</i> (currency, price, date...) and their <i>Values</i> (min/max values, string length...).<br> The Configuration File also contains global parameters that describe the module default behaviour. </td> <tr><td colspan=2><img src="images/sepline.gif" height=1 width=640></td></tr> <tr><td class=texte3 align=center valign=top><b>mod_parmguard<br>.dtd</b></td> <td class=texte2> The simple DTD that describes the XML Configuration File Syntax. </td> <tr><td colspan=2><img src="images/sepline.gif" height=1 width=640></td></tr> <tr><td class=texte3 align=center valign=top><b>mod_parmguard</b></td> <td class=texte2> Apache module (1.x and 2.x compatible) that intercepts the GET and POST HTTP requests and checks the Script Parameters Constraints, described in the XML Conf. File, are respected.<br> Depending on the configuration, Requests can be rejected, or accepted. Errors can be logged and/or Environment Variables can be set... </td> <tr><td colspan=2><img src="images/sepline.gif" height=1 width=640></td></tr> <tr><td class=texte3 align=center valign=top><b>Parmguard Generator</b></td> <td class=texte2> (not released yet)<br> Automated tool that helps the Administrator building the XML Conf. files ! </td> <tr><td colspan=2><img src="images/sepline.gif" height=1 width=640></td></tr> </table> <p align=center class=texte3>mod_parmguard Architecture Overview</p> <a name="diagram"> <img height=380 width=520 src="images/synoptique.gif"> </td> <td><img src="spacer.gif" width="1" height="418" border="0"></td> </tr> <tr> <td colspan="6" valign=top align=right class=texte1> <hr color="#FFBB00" width=640 size=1> <a href="http://www.trickytools.com">www.trickytools.com</a> </td> </tr> </table> </body> </html>