Wednesday, August 29, 2007

firewall-wizards Digest, Vol 16, Issue 19

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: IPS Content filtering techniques (ArkanoiD)
2. Re: IPv6 support in firewalls (Darren.Reed@Sun.COM)
3. Re: IPv6 support in firewalls (Jim Seymour)


----------------------------------------------------------------------

Message: 1
Date: Wed, 29 Aug 2007 01:39:27 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] IPS Content filtering techniques
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: Panahi Behzad U/IT-S <behzad.panahi@scb.se>
Message-ID: <20070828213927.GA27791@eltex.net>
Content-Type: text/plain; charset=us-ascii

But why does redirect have some content-type
other than text/html?

Well, i can fix my code by simply making content type check conditional
to existense of the response body. Is it ok for you?

On Tue, Aug 28, 2007 at 08:15:30AM +0200, Skough Axel U/IT-S wrote:
>
> It is because some systems send informative responses indicating redirects (permanent or temporarily), HTTP code 301 or 302.
>
> The ways these redirects are created vary strongly, sometimes a data buffer is given, but not always. The rediection directive is present in a HTTP header statement indicating alternate location.
>
> Some implementations omits declaring the data buffer content as none is present, thus the content is left unknown. A content-filtering firewall therefore doesn't allow a HTTP packet with unknown data to pass - this is correct - BUT should be able to allow HTT packets with no data, i e, Content-Length: 0. In this situation the Content-Type argument can be properly excluded as stated in the RFC 2616 and we cannot therefore encourage the opinion that there should be some error in such a packet from its vendor!
>
> Best regards,
>
> Axel
>
> ________________________________
>
> From: firewall-wizards-bounces@listserv.icsalabs.com on behalf of ArkanoiD
> Sent: Thu 2007-08-23 00:47
> To: Firewall Wizards Security Mailing List
> Cc: Panahi Behzad U/IT-S
> Subject: Re: [fw-wiz] IPS Content filtering techniques
>
>
>
> Well, what's the purpose of getting those null data through?
> Why do you need it?
>
> On Wed, Aug 15, 2007 at 03:35:24PM +0200, Skough Axel U/IT-S wrote:
> >
> > Does really nobody know anything about a Web proxy product filtering on MIME Content-Type setting and capable to omit this check when the MIME Content-Length setting in force appears to be zero? The RFC 2616 states that the Content-Type header statement can be omitted in this situation and, indeed, it has no meaning as the data section is declared to be of length zero.
> >
> > Otherwise the data section should of course be in general be assumed to be of type "application/octet-stream" but when no data section is present it is obviously no problem in bypassing the Content-Type check! Thus, there are no data to prevent entering for in this situation, but the packet in force may have othre meanings such as redirect etc.
> >
> > I would appreciate any comments in this matter!
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com

>
>

------------------------------

Message: 2
Date: Tue, 28 Aug 2007 13:16:20 -0700
From: Darren.Reed@Sun.COM
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: ark@eltex.net
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <46D48294.9020205@Sun.COM>
Content-Type: text/plain; format=flowed; charset=us-ascii

ArkanoiD wrote:

>Well, i do see quite often. The rules are simple:
>1) use windows update
>2) don't run attachments (well, windows users habit of running
>attachments is just ridiculous - WHY they do?)
>3) don't watch pr0n (even if you do 1 and 2 you still can get 0wned via
>0-day exploit - but very unlikely if you do not watch pr0n ;-)
>
>

disabling java, active-x and javascript goes a long way to defeating
most things that attack windows boxen.

downside is you might as well be using lynx to browse the web!

>On Mon, Aug 27, 2007 at 04:50:37PM -0400, Paul D. Robertson wrote:
>
>
>>Yes, and *anyone* who's done any sampling of home PCs recently will
>>understand that. I can't remember the last time I saw a clean MS-based
>>home system.
>>
>>
>>
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@listserv.icsalabs.com
>https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>

------------------------------

Message: 3
Date: Wed, 29 Aug 2007 08:44:57 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20070829124457.0B2F6E158@jimsun.linxnet.com>


Darren.Reed@Sun.COM wrote:
>
[snip]
>
> disabling java, active-x and javascript goes a long way to defeating
> most things that attack windows boxen.

And not running MSIE.

>
> downside is you might as well be using lynx to browse the web!

Of the three: The only one of those the lack of which would *generally*
be fairly crippling is JavaScript, IME. We have a few
business-partner/commercial sites that use Java. We have a total of
two (I think) sites that require ActiveX. (Interestingly: These two,
in particular, are financially-oriented sites, operated by major
financial institutions, and *require* that one basically defeat what
few protections there are, configuration-wise, in MSIE. There is no
wonder in my mind how and why business' are routinely 0wn3d.)

We block ActiveX via HTTP at the web proxies. The two sites we must
use that require it are HTTPS URLs.

To this day, it boggles my mind that business' routinely/regularly
allow ActiveTrojan through their firewalls. Almost might as well not
*have* a firewall, if you're going to allow that kind of thing, IMO.

Paul mentioned not having seen a single residential MS-Win box that
wasn't compromised. I can show you one, Paul. And it's only SP1, to
boot. Thing is: On arrival, the first thing to go was MSOE (replaced
by Pegasus, at the time). MSIE was immediately defanged (for as much
good as that does--just because you tell MSIE "don't do this," doesn't
mean it won't, turns out), and installed Mozilla. PeeCee is behind a
packet-filtering NAT'd router, w/both ingress and egress rules. Wife
was instructed on safe computing. I trust that 'doze box *almost* as
much as I do my Solaris box ;).

Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 16, Issue 19
************************************************

No comments:

Post a Comment