Firewall Wizards mailing list archives
RE: IIS buffer overflows and firewalls
From: "Michael D. Nickle" <nickle10 () home com>
Date: Thu, 24 May 2001 12:15:19 -0600
-----BEGIN PGP SIGNED MESSAGE----- This really goes back to something that my dad used to say to me all time, "Measure twice and cut once". Except that in our case it should be bound and context check twice, apply one. Getting back to your question though Rick, I'm not so sure that the firewall is the proper place to make these checks. There is a multitude of different web server and web application server products out there. If we looked at all of the various combinations we'd see that one app combos buffer overflow is anothers acceptable URL. We'd also find quite a few sites that have various brands o' web server behind the same firewall which further complicates the rule base. This is where an application input validator like the Sanctum or pelican would be very helpful. They can also protect from PUT and POST method based attacks. Of course some filtering at the firewall layer might not be a bad idea. How many sites have actually implemented the CONNECT method? TRACE? - -----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of Rick Smith at Secure Computing Sent: Friday, May 04, 2001 1:54 PM To: firewall-wizards () nfr net Subject: [fw-wiz] IIS buffer overflows and firewalls Here at SCC there's been talk about the MS bulletin 01-023 that describes the buffer overflow in IIS on Win2K platforms. Here's the MSoft URL: http://www.microsoft.com/technet/security/bulletin/MS01-023.asp Given that you can configure web proxies on Sidewinder, and presumably on other full-function firewalls, to enforce a length limit on URLs passed through HTTP, one should be able to block this particular attack at the firewall. On the other hand, this implements a somewhat arbitrary restriction on the size of URLs which, if the MS software is ever fixed to handle longer ones, might interfere with future web applications. Since the restriction is implemented in the firewall, it will be difficult (impossible?) for developers to discover that the site has implemented a restriction on URL size. They probably wouldn't find out until they try running applications from behind the firewall. Is there a consensus view on the impact of this type of firewall filtering with respect to the site's Internet applications? While it clearly can serve a "security" purpose, it's different from the more conventional rules that developers encounter -- restrictions on ports, mostly. How would developers discover that such restrictions exist, or must they wait till they run live tests through the firewall? Any thoughts? Rick. smith () securecomputing com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQCVAwUBOw1Pt1BcQyanG24lAQGyNQP/auMRWRIOepgT7m/HHgazVXGH3XyDuQf2 bYCA2peaNrdb+jLYVuYNz3qIvGZI5+Zz4FKtYKjS7LbpOjK0k6fkrf/vdDm7ztpX eqeQ7B0AHCxPj9rQWrIILdB7VM+CozZA6+cYSNZ0hgjVervYrOPzudUZSVtjE5tM ho3+2cEgQj8= =z8Fw -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- IIS buffer overflows and firewalls Joseph Steinberg (May 11)
- <Possible follow-ups>
- RE: IIS buffer overflows and firewalls Michael D. Nickle (May 25)