Tuesday, August 28, 2007

firewall-wizards Digest, Vol 16, Issue 18

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: IPv6 support in firewalls (ArkanoiD)
2. Re: IPS Content filtering techniques (Skough Axel U/IT-S)


----------------------------------------------------------------------

Message: 1
Date: Tue, 28 Aug 2007 02:21:27 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20070827222127.GA10416@eltex.net>
Content-Type: text/plain; charset=us-ascii

Well, i do see quite often. The rules are simple:
1) use windows update
2) don't run attachments (well, windows users habit of running
attachments is just ridiculous - WHY they do?)
3) don't watch pr0n (even if you do 1 and 2 you still can get 0wned via
0-day exploit - but very unlikely if you do not watch pr0n ;-)

On Mon, Aug 27, 2007 at 04:50:37PM -0400, Paul D. Robertson wrote:
>
> Yes, and *anyone* who's done any sampling of home PCs recently will
> understand that. I can't remember the last time I saw a clean MS-based
> home system.
>

------------------------------

Message: 2
Date: Tue, 28 Aug 2007 08:15:30 +0200
From: "Skough Axel U/IT-S" <axel.skough@scb.se>
Subject: Re: [fw-wiz] IPS Content filtering techniques
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>, "Firewall Wizards Security
Mailing List" <firewall-wizards@listserv.cybertrust.com>
Cc: Panahi Behzad U/IT-S <behzad.panahi@scb.se>
Message-ID: <7D5607434F895540B2A717820399633D5B4DD2@exs13.scb.intra>
Content-Type: text/plain; charset="iso-8859-1"

Hi,

It is because some systems send informative responses indicating redirects (permanent or temporarily), HTTP code 301 or 302.

The ways these redirects are created vary strongly, sometimes a data buffer is given, but not always. The rediection directive is present in a HTTP header statement indicating alternate location.

Some implementations omits declaring the data buffer content as none is present, thus the content is left unknown. A content-filtering firewall therefore doesn't allow a HTTP packet with unknown data to pass - this is correct - BUT should be able to allow HTT packets with no data, i e, Content-Length: 0. In this situation the Content-Type argument can be properly excluded as stated in the RFC 2616 and we cannot therefore encourage the opinion that there should be some error in such a packet from its vendor!

Best regards,

Axel

________________________________

From: firewall-wizards-bounces@listserv.icsalabs.com on behalf of ArkanoiD
Sent: Thu 2007-08-23 00:47
To: Firewall Wizards Security Mailing List
Cc: Panahi Behzad U/IT-S
Subject: Re: [fw-wiz] IPS Content filtering techniques

Well, what's the purpose of getting those null data through?
Why do you need it?

On Wed, Aug 15, 2007 at 03:35:24PM +0200, Skough Axel U/IT-S wrote:
>
> Does really nobody know anything about a Web proxy product filtering on MIME Content-Type setting and capable to omit this check when the MIME Content-Length setting in force appears to be zero? The RFC 2616 states that the Content-Type header statement can be omitted in this situation and, indeed, it has no meaning as the data section is declared to be of length zero.
>
> Otherwise the data section should of course be in general be assumed to be of type "application/octet-stream" but when no data section is present it is obviously no problem in bypassing the Content-Type check! Thus, there are no data to prevent entering for in this situation, but the packet in force may have othre meanings such as redirect etc.
>
> I would appreciate any comments in this matter!

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 16, Issue 18
************************************************

No comments:

Post a Comment