Re: HTTP in practice

["Marcus J. Ranum" <mjr () nfr net>]

> A) In the "real" world, how often am I likely to encounter
> firewalls/proxies doing 1), 2), or 3)?

Fairly often but it'll be unpredictable. My guess is that
companies with networks large enough that they have
dedicated security staff will also have a higher likelihood
of blockage. Companies with small networks and no
full-time admins generally aren't as careful.

> B) Based on the sketchy information, could I be missing other possible
> sources of blockage?

You *might* have a proxy that mangles your data even
if it lets it through. Some proxies look for "bad URLs" and
possible attack signatures -- and might choose to "fix"
things, thereby making your life miserable.

> C) What sort of configurable options are likely be selected in A) or B)
> that might allow more specificity to prevent impact?  (e.g., Traffic from
> specific servers, etc.)

I dunno. :( You could do something like encode your data
in a "harmless" encoding that the firewall won't look into.
The preceeding was a joke. <-------------
Seriously, though, active content is *coming* and the
firewall model isn't going to survive it unless firewall
builders can come up with a better answer than "you
can't do that!"

> D) On a survivability in hell scale, where 1 represents a snowball, and 10
> represents Satan himself, where do things likely stand when it comes to
> getting configuration changed? (Where, understandably, I am loathe to
> change the settings on my firewall, to be sure.)

I'd guess it's about 50/50 -- depends how COOL your
application is!! I noticed a lot of folks "fixed" their
firewalls for real audio pretty quick. It seems to me that
these decisions become market-driven, not security
driven. Which says something unclear but important
about the state of security and the likelihood of a
rosy future.

> E) Expecting a decent portion of firewall administrators to be like those I
> mentioned above, how restrictive are most commercial firewall products
> out-of-the-box?  (i.e., Is my feeling that 3) should be blocked by default
> the reality?)

I'd guess that most commercial firewalls, out of the box,
won't block Java/ActiveX unless you tell them to. That may
be a wrong guess, though.

> F) Am I safe in assuming that proxies are the most likely candidate for
> problems?  (Over, say, Firewall-1 and its ilk?

Safe bet.

The reason is not really anything to do with the design
and implementation difference between proxy firewalls
and traffic inspection firewalls -- it's more to do with the
mindsets of the people who build the different types, and
the people who buy the different types.

mjr.
-----
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
<A HREF=http://www.clark.net/pub/mjr>Personal</A>
<A HREF=http://www.nfr.net>Work</A>
<A HREF=http://www.clark.net/pub/mjr/websec>New Book!!</A>