Active-content filtering (was RE: Buffer Overruns)

[fernando_montenegro () hp com]

Hello!

One or two messages in this thread mentioned some firewalls' ability to filter 
out Java[script]|ActiveX from the HTTP stream. 

Considering the current scenario, where lots and lots of sites with valid, 
business-need content, will use client-side scripting|code as fundamental for 
functionality (news/stock tickers, client-side input validation, etc...), how 
many people have actually used this feature of their firewalls in production 
environments where serving Web content for an internal population is part of 
the requirement? I would think the end user population would scream bloody 
murder if this kind of functionality was blocked indiscriminately at the 
firewall.

While a concept such as IE's "zones" looks interesting, relying on end users to 
decide which sites can be in the "trusted sites" zone can be dangerous. Which 
leads me to a few questions: Can anyone comment on how far one can go with MS 
Proxy Server's "automatic browser configurations"? Does it just configure HTTP 
routing or can I "centralize" the zone configurations somehow? Also, can anyone 
recommend products that offer an easier "centralized" configuration for IE 
zones, probably acting as proxy servers?

IMHO, we fall once again into the realm of multi-layered defenses, including:
- Adequare network-level compartimentalization, separating critical business 
servers from "general population" (client machines)
- Adequate security policies, reserving Internet access for business needs, 
etc..., backed up by usage reporting and such.
- Some form of host-level security mechanism deployed on internal desktops. A 
properly configured NT Workstation (or Linux client, for those so inclined) 
comes to mind, with adequate AV software, limited rights for the end user.

Overall, it seems that living with some degree of risk of an 
active-content-based security incident is part of the cost of doing business 
nowadays. As always, YMMV.

Ok, off the soapbox for now...

Cheers,
Fernando
--
Fernando da Silveira Montenegro     Hewlett-Packard Brasil
HP Consulting - IT Security         Al. Rio Negro, 750 - Alphaville
mailto:fernando_montenegro () hp com   Barueri, SP - Brazil 06454-000
voice: +55-11-7297-4351             #include <disclaimer.h>


-----Original Message-----
From: Jeremy_Epstein () NAI com [mailto:Jeremy_Epstein () NAI com]
Sent: segunda-feira, 20 de dezembro de 1999 14:10
To: firewall-wizards () lists nfr net
Cc: Jeremy_Epstein () NAI com
Subject: Re: Buffer Overruns


The answers to this question have been interesting, because those writing
responses have interpreted the original question in two different ways.  The
first interpretation is "are vulnerabilities in hosts behind the firewall
protected by the firewall itself".  The second interpretation is "are
firewalls *themselves* vulnerable to buffer overrun attacks".

The answer to the first question is "it depends", and the answer to the
second question is "it depends".

Firewalls may protect against some attacks against the hosts behind them,
not just for buffer overruns but for other attacks too.  For example, a
firewall might filter out DEBUG messages sent to sendmail, just in case
anyone is still running a ten year old version of sendmail!  Or a firewall
could filter out URLs longer than the maximum allowed, to prevent a buffer
overrun attack against web servers.  I know that some firewalls protect
against some of these attacks, but I wouldn't rely on a firewall to prevent
all of these attacks.  Joe Yao, Crispin Cowan, and Steve Bellovin explained
the issues in this area nicely.  In particular, Crispin's StackGuard would
be a good solution to this problem.

With respect to the second question, firewalls may be as vulnerable as other
hosts.  As Marcus points out, "buffer overruns in proxy firewalls can be
pretty lethal".  We recently used software wrappers to constrain the
behavior of application proxies on Gauntlet; the result was that buffer
overrun attacks were more limited.  (I won't say they were impossible; I
know better than that :-)  I have a paper in preparation on this topic...

So.... which question was being asked?  The answer is still "it depends",
but the factors are different :-)

--Jeremy Epstein, NAI Labs