Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999-q4

NFR Wizards Archives: Active-content filtering (was RE: Buffer

Active-content filtering (was RE: Buffer Overruns)

Subject: Active-content filtering (was RE: Buffer Overruns)
From: fernando_montenegrohp.com
Date: Tue Dec 21 1999 - 04:56:22 CST

Next message: Crispin Cowan: "Re: Buffer Overruns"
Previous message: Crispin Cowan: "Re: ipchains FW, monitoring for scans, & how to react to them"
Next in thread: Neil Ratzlaff: "Re: Active-content filtering (was RE: Buffer Overruns)"
Reply: Neil Ratzlaff: "Re: Active-content filtering (was RE: Buffer Overruns)"
Reply: Crispin Cowan: "Re: Active-content filtering (was RE: Buffer Overruns)"
Reply: fernando_montenegrohp.com: "RE: Active-content filtering (was RE: Buffer Overruns)"
Reply: Ryan Russell: "Re: Active-content filtering (was RE: Buffer Overruns)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello!

One or two messages in this thread mentioned some firewalls' ability to filter
out Java[script]|ActiveX from the HTTP stream.

Considering the current scenario, where lots and lots of sites with valid,
business-need content, will use client-side scripting|code as fundamental for
functionality (news/stock tickers, client-side input validation, etc...), how
many people have actually used this feature of their firewalls in production
environments where serving Web content for an internal population is part of
the requirement? I would think the end user population would scream bloody
murder if this kind of functionality was blocked indiscriminately at the
firewall.

While a concept such as IE's "zones" looks interesting, relying on end users to
decide which sites can be in the "trusted sites" zone can be dangerous. Which
leads me to a few questions: Can anyone comment on how far one can go with MS
Proxy Server's "automatic browser configurations"? Does it just configure HTTP
routing or can I "centralize" the zone configurations somehow? Also, can anyone
recommend products that offer an easier "centralized" configuration for IE
zones, probably acting as proxy servers?

IMHO, we fall once again into the realm of multi-layered defenses, including:
- Adequare network-level compartimentalization, separating critical business
servers from "general population" (client machines)
- Adequate security policies, reserving Internet access for business needs,
etc..., backed up by usage reporting and such.
- Some form of host-level security mechanism deployed on internal desktops. A
properly configured NT Workstation (or Linux client, for those so inclined)
comes to mind, with adequate AV software, limited rights for the end user.

Overall, it seems that living with some degree of risk of an
active-content-based security incident is part of the cost of doing business
nowadays. As always, YMMV.

Ok, off the soapbox for now...

Cheers,
Fernando

-- Fernando da Silveira Montenegro Hewlett-Packard Brasil HP Consulting - IT Security Al. Rio Negro, 750 - Alphaville mailto:fernando_montenegro

hp.com Barueri, SP - Brazil 06454-000 voice: +55-11-7297-4351 #include <disclaimer.h>

-----Original Message----- From: Jeremy_EpsteinNAI.com [mailto:Jeremy_EpsteinNAI.com] Sent: segunda-feira, 20 de dezembro de 1999 14:10 To: firewall-wizardslists.nfr.net Cc: Jeremy_EpsteinNAI.com Subject: Re: Buffer Overruns

The answers to this question have been interesting, because those writing responses have interpreted the original question in two different ways. The first interpretation is "are vulnerabilities in hosts behind the firewall protected by the firewall itself". The second interpretation is "are firewalls *themselves* vulnerable to buffer overrun attacks".

The answer to the first question is "it depends", and the answer to the second question is "it depends".

Firewalls may protect against some attacks against the hosts behind them, not just for buffer overruns but for other attacks too. For example, a firewall might filter out DEBUG messages sent to sendmail, just in case anyone is still running a ten year old version of sendmail! Or a firewall could filter out URLs longer than the maximum allowed, to prevent a buffer overrun attack against web servers. I know that some firewalls protect against some of these attacks, but I wouldn't rely on a firewall to prevent all of these attacks. Joe Yao, Crispin Cowan, and Steve Bellovin explained the issues in this area nicely. In particular, Crispin's StackGuard would be a good solution to this problem.

With respect to the second question, firewalls may be as vulnerable as other hosts. As Marcus points out, "buffer overruns in proxy firewalls can be pretty lethal". We recently used software wrappers to constrain the behavior of application proxies on Gauntlet; the result was that buffer overrun attacks were more limited. (I won't say they were impossible; I know better than that :-) I have a paper in preparation on this topic...

So.... which question was being asked? The answer is still "it depends", but the factors are different :-)

--Jeremy Epstein, NAI Labs

Next message: Crispin Cowan: "Re: Buffer Overruns"
Previous message: Crispin Cowan: "Re: ipchains FW, monitoring for scans, & how to react to them"
Next in thread: Neil Ratzlaff: "Re: Active-content filtering (was RE: Buffer Overruns)"
Reply: Neil Ratzlaff: "Re: Active-content filtering (was RE: Buffer Overruns)"
Reply: Crispin Cowan: "Re: Active-content filtering (was RE: Buffer Overruns)"
Reply: fernando_montenegrohp.com: "RE: Active-content filtering (was RE: Buffer Overruns)"
Reply: Ryan Russell: "Re: Active-content filtering (was RE: Buffer Overruns)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Tue Dec 21 1999 - 17:02:31 CST