Firewall Wizards mailing list archives
Re: HTTP in practice
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Mon, 22 Sep 1997 21:53:48 +0000
A) In the "real" world, how often am I likely to encounter firewalls/proxies doing 1), 2), or 3)?
Fairly often but it'll be unpredictable. My guess is that companies with networks large enough that they have dedicated security staff will also have a higher likelihood of blockage. Companies with small networks and no full-time admins generally aren't as careful.
B) Based on the sketchy information, could I be missing other possible sources of blockage?
You *might* have a proxy that mangles your data even if it lets it through. Some proxies look for "bad URLs" and possible attack signatures -- and might choose to "fix" things, thereby making your life miserable.
C) What sort of configurable options are likely be selected in A) or B) that might allow more specificity to prevent impact? (e.g., Traffic from specific servers, etc.)
I dunno. :( You could do something like encode your data in a "harmless" encoding that the firewall won't look into. The preceeding was a joke. <------------- Seriously, though, active content is *coming* and the firewall model isn't going to survive it unless firewall builders can come up with a better answer than "you can't do that!"
D) On a survivability in hell scale, where 1 represents a snowball, and 10 represents Satan himself, where do things likely stand when it comes to getting configuration changed? (Where, understandably, I am loathe to change the settings on my firewall, to be sure.)
I'd guess it's about 50/50 -- depends how COOL your application is!! I noticed a lot of folks "fixed" their firewalls for real audio pretty quick. It seems to me that these decisions become market-driven, not security driven. Which says something unclear but important about the state of security and the likelihood of a rosy future.
E) Expecting a decent portion of firewall administrators to be like those I mentioned above, how restrictive are most commercial firewall products out-of-the-box? (i.e., Is my feeling that 3) should be blocked by default the reality?)
I'd guess that most commercial firewalls, out of the box, won't block Java/ActiveX unless you tell them to. That may be a wrong guess, though.
F) Am I safe in assuming that proxies are the most likely candidate for problems? (Over, say, Firewall-1 and its ilk?
Safe bet. The reason is not really anything to do with the design and implementation difference between proxy firewalls and traffic inspection firewalls -- it's more to do with the mindsets of the people who build the different types, and the people who buy the different types. mjr. ----- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. <A HREF=http://www.clark.net/pub/mjr>Personal</A> <A HREF=http://www.nfr.net>Work</A> <A HREF=http://www.clark.net/pub/mjr/websec>New Book!!</A>
Current thread:
- HTTP in practice Greg Haverkamp (Sep 22)
- Re: HTTP in practice Marcus J. Ranum (Sep 22)
- Re: HTTP in practice Greg Haverkamp (Sep 23)
- Re: HTTP in practice Marcus J. Ranum (Sep 23)
- Re: HTTP in practice Greg Haverkamp (Sep 24)
- Re: HTTP in practice Bennett Todd (Sep 24)
- Re: HTTP in practice Paul D. Robertson (Sep 29)
- Re: HTTP in practice Joe Klemmer (Sep 26)
- Re: HTTP in practice Greg Haverkamp (Sep 23)
- Re: HTTP in practice Marcus J. Ranum (Sep 22)
- <Possible follow-ups>
- Re: HTTP in practice Anton J Aylward (Sep 24)