Firewall Wizards mailing list archives
Active-content filtering (was RE: Buffer Overruns)
From: fernando_montenegro () hp com
Date: Tue, 21 Dec 1999 05:56:22 -0500
Hello! One or two messages in this thread mentioned some firewalls' ability to filter out Java[script]|ActiveX from the HTTP stream. Considering the current scenario, where lots and lots of sites with valid, business-need content, will use client-side scripting|code as fundamental for functionality (news/stock tickers, client-side input validation, etc...), how many people have actually used this feature of their firewalls in production environments where serving Web content for an internal population is part of the requirement? I would think the end user population would scream bloody murder if this kind of functionality was blocked indiscriminately at the firewall. While a concept such as IE's "zones" looks interesting, relying on end users to decide which sites can be in the "trusted sites" zone can be dangerous. Which leads me to a few questions: Can anyone comment on how far one can go with MS Proxy Server's "automatic browser configurations"? Does it just configure HTTP routing or can I "centralize" the zone configurations somehow? Also, can anyone recommend products that offer an easier "centralized" configuration for IE zones, probably acting as proxy servers? IMHO, we fall once again into the realm of multi-layered defenses, including: - Adequare network-level compartimentalization, separating critical business servers from "general population" (client machines) - Adequate security policies, reserving Internet access for business needs, etc..., backed up by usage reporting and such. - Some form of host-level security mechanism deployed on internal desktops. A properly configured NT Workstation (or Linux client, for those so inclined) comes to mind, with adequate AV software, limited rights for the end user. Overall, it seems that living with some degree of risk of an active-content-based security incident is part of the cost of doing business nowadays. As always, YMMV. Ok, off the soapbox for now... Cheers, Fernando -- Fernando da Silveira Montenegro Hewlett-Packard Brasil HP Consulting - IT Security Al. Rio Negro, 750 - Alphaville mailto:fernando_montenegro () hp com Barueri, SP - Brazil 06454-000 voice: +55-11-7297-4351 #include <disclaimer.h> -----Original Message----- From: Jeremy_Epstein () NAI com [mailto:Jeremy_Epstein () NAI com] Sent: segunda-feira, 20 de dezembro de 1999 14:10 To: firewall-wizards () lists nfr net Cc: Jeremy_Epstein () NAI com Subject: Re: Buffer Overruns The answers to this question have been interesting, because those writing responses have interpreted the original question in two different ways. The first interpretation is "are vulnerabilities in hosts behind the firewall protected by the firewall itself". The second interpretation is "are firewalls *themselves* vulnerable to buffer overrun attacks". The answer to the first question is "it depends", and the answer to the second question is "it depends". Firewalls may protect against some attacks against the hosts behind them, not just for buffer overruns but for other attacks too. For example, a firewall might filter out DEBUG messages sent to sendmail, just in case anyone is still running a ten year old version of sendmail! Or a firewall could filter out URLs longer than the maximum allowed, to prevent a buffer overrun attack against web servers. I know that some firewalls protect against some of these attacks, but I wouldn't rely on a firewall to prevent all of these attacks. Joe Yao, Crispin Cowan, and Steve Bellovin explained the issues in this area nicely. In particular, Crispin's StackGuard would be a good solution to this problem. With respect to the second question, firewalls may be as vulnerable as other hosts. As Marcus points out, "buffer overruns in proxy firewalls can be pretty lethal". We recently used software wrappers to constrain the behavior of application proxies on Gauntlet; the result was that buffer overrun attacks were more limited. (I won't say they were impossible; I know better than that :-) I have a paper in preparation on this topic... So.... which question was being asked? The answer is still "it depends", but the factors are different :-) --Jeremy Epstein, NAI Labs
Current thread:
- Active-content filtering (was RE: Buffer Overruns) fernando_montenegro (Dec 21)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 22)
- Re: Active-content filtering (was RE: Buffer Overruns) David Lang (Dec 23)
- Re: Active-content filtering (was RE: Buffer Overruns) Hazel A. Borg (Dec 24)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Joseph S D Yao (Dec 28)
- Re: Active-content filtering (was RE: Buffer Overruns) Neil Ratzlaff (Dec 22)
- <Possible follow-ups>
- RE: Active-content filtering (was RE: Buffer Overruns) fernando_montenegro (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Jody C. Patilla (Dec 28)
- Re: Active-content filtering (was RE: Buffer Overruns) Dorian Moore (Dec 30)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 22)