Firewall Wizards mailing list archives

Re: Protecting publicly reacheable servers (e.g. HTTP)?

From: ark () eltex ru
Date: Sat, 24 Nov 2001 15:00:10 +0300 (MSK)

nuqneH,

I am still trying to figure out how to prevent data-driven attacks
on proxy level.

I have a quite good set of application proxies that do stop protocol-driven
attacks like lpd or pop3 exploits so it adds some extra protection to
those servers but that does not work for http, where all attacks (or nearly so)
do fit the protocol. Some extra heuristics are required - do you people have
any ideas and suggestions?

YOU (Patrick M. Hausen) WROTE:

 
 Dear fellow wizards,
 
 Yesterday we got into a small internal arguement about
 wether protecting publicly reachable servers with
 currently available firewall products makes any sense
 or not.
 
 A large corporation asked for an offer for "housing" of
 a web and database server including hardware and software
 for the server itself and "firewall protection".
 The server is supposed to offer content to the public via
 HTTP.
 
 My reasoning has always been that - given the state of
 firewall products today - a static packet filter that
 blocks all but port 80 would be the most appropriate
 solution to offer some sort of protection to the server
 machine.
 
 Since all products I know of - even our beloved Gauntlet
 application level proxy - don't filter HTTP requests
 wrt extremly long URLs or other "malformed" stuff, that
 intends to cause a buffer overflow in the web application,
 I don't see any improvement by using a "firewall product"
 in place of the packet filter. Well, DoS attacks targeting the
 IP stack may be guarded against, but then one would try to
 DoS the firewall with the same result - application out
 of service.
 
 I hope most of you tend to agree with the above ;-)
 
 Anyway, all competitors offered the customer elaborate and
 expensive setups consisting of at least two redundant firewall
 boxes, two switches, and those nice looking drawings with
 a lot of crossing lines that give managers the warm fuzzy
 impression of "redundancy" and "fail safety".
 Probably most of them are offering Nokia or PIX, but we weren't
 given that much detail. ;-)
 
 
 So  basically, I have two questions to you all:
 
 1. Do you aggree with me wrt to the firewall vs. packet filter topic?
    What's the intention of all these companies offering more complicated
    setups? Besides making money at the job, of course. I don't imply
    they are consciously trying to sell a big unnecessary something.
    They rather do think they sell something "good", IMHO.
    So, what's the point?
 
 2. In the last couple of years a new type of device coined "layer 4 switch"
    appeared and these things seem to have reached a certain level of
    maturity and market penetration. I'm talking about load balancing
    devices like e.g. Big IP.
 
    Since these things actually look inside the HTTP requests to provide
    (at least they claim to provide) session and cookie persistence and
    similar stuff when distributing the requests to a farm of servers
    - what do you think these boxes add to the security of the web
    servers they "load balance"? Some claim to protect against certain
    types of DoS attacks, too.
 
 
 Thanks for your comments,
 
 Patrick M. Hausen
 Technical Director
 -- 
 punkt.de GmbH         Internet - Dienstleistungen - Beratung
 Scheffelstr. 17 a     Tel. 0721 9109 -0 Fax: -100
 76135 Karlsruhe       http://punkt.de
 _______________________________________________
 firewall-wizards mailing list
 firewall-wizards () nfr com
 http://list.nfr.com/mailman/listinfo/firewall-wizards



-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Protecting publicly reacheable servers (e.g. HTTP)? Patrick M. Hausen (Nov 23)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? ark (Nov 25)
  - Re: Protecting publicly reacheable servers (e.g. HTTP)? Emmanuel Adeline (Nov 25)
  - Re: Protecting publicly reacheable servers (e.g. HTTP)? Marcus J. Ranum (Nov 25)
    - Re: Protecting publicly reacheable servers (e.g. HTTP)? Adam Shostack (Nov 26)
    - Re: Protecting publicly reacheable servers (e.g. HTTP)? Stephen P. Berry (Nov 27)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Predrag Zivic (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Frederick M Avolio (Nov 25)
- RE: Protecting publicly reacheable servers (e.g. HTTP)? Jason Lewis (Nov 27)
- <Possible follow-ups>
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Steven M. Bellovin (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Yehavi Bourvine +972-2-6585684 (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Stephane Nasdrovisky (Nov 25)

(Thread continues...)