Firewall Wizards mailing list archives
Re: Protecting publicly reacheable servers (e.g. HTTP)?
From: "Steven M. Bellovin" <smb () research att com>
Date: Mon, 26 Nov 2001 02:08:47 -0500
In message <5.1.0.14.2.20011125224934.009f56d0@localhost>, "Marcus J. Ranum" wr ites:
ark () eltex ru wrote:I am still trying to figure out how to prevent data-driven attacks on proxy level.I don't think it can be done. The only chance is to be super restrictive in what you accept - to the point of accepting nothing. If you do that, you generally defeat your objectives if you're trying to actually exchange information with someone. :(
More precisely, you can filter out known bad things, and try to figure out what the right set of good things is that you want to allow in. But that latter is very hard -- you don't know all the squirrelly parts of the spec that are legal but will break your applications, you don't know the nominally-illegal things that are accepted -- and used -- anyway, you don't know what will break in the next release of the application when the vendor releases a wonderful new bug^H^H^Hfeature, and -- most important -- you have no assurance that you're going to do a better job parsing arbitrarily strange input than the real applications do. After all, no one sets out to write a bad parser. The only thing you have going for you is that you *know* there are security dangers out there. That's a non-trivial piece of knowledge, but the task ahead of you is still extremely hard, and bordering on the impossible. --Steve Bellovin, http://www.research.att.com/~smb Full text of "Firewalls" book now at http://www.wilyhacker.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Protecting publicly reacheable servers (e.g. HTTP)?, (continued)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Adam Shostack (Nov 26)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Stephen P. Berry (Nov 27)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Predrag Zivic (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Frederick M Avolio (Nov 25)
- RE: Protecting publicly reacheable servers (e.g. HTTP)? Jason Lewis (Nov 27)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Steven M. Bellovin (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Yehavi Bourvine +972-2-6585684 (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Stephane Nasdrovisky (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? ark (Nov 26)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? TDyson (Nov 26)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Steven M. Bellovin (Nov 26)