Firewall Wizards mailing list archives
Re: Protecting publicly reacheable servers (e.g. HTTP)?
From: ark () eltex ru
Date: Mon, 26 Nov 2001 15:10:39 +0300
-----BEGIN PGP SIGNED MESSAGE----- nuqneH, So the answer is "it is almost impossible, though some commercial applications claim to do that". I intentionally left signature-based known attack prevention aside because it is not the proper way and it seems to be easy to bypass in most cases. I've found no details on how Sanctum's proxy does work and rWeb configuration seems to be pretty complicated - there is no whitepaper describing general design philosophy but if i get things correctly it allows "manual" configuration where you describe what is allowed and what is not and "authomatic" where you do parse http server log file and create some heuristics-based rules. So how should the reverse proxy work: 1) "standardize" request. bring it to some certain form - convert all quoting/encoding types to one (or one of a few), drop unknown headers, check if known ones have correct syntax 2) analyze request. What can we do here dealing with unknown attacks? Directory traversal - how do we distinguish pretty legal directory traversal (../../picture.jpg) from malicious one? Limit depth or something? That's not enough i think, we need a different approach. Application-specific like those IIS bugs - most are prevented on step 1, but what about those that are not? Generic CGI,PHP etc bugs, SQL insertion, etc etc - can we categorize it to develop out some heuristics that will fit future ones? Does log analysis approach like rWeb implements (?) provide good results? Can we sort out that "our server provides static content from directiories x,y,z and has scripts a and b that take argument c (numeric) and d (string no longer that n and containing no non-alphanumeric characters)" and enforce that on proxy? Will all of the above work together good enough to prevent, say, 70..85% of future yet unknown attacks? That's quite a reasonable rate for a tool to exist - - the proper way for preventing known attacks is to fix the application software ;) _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBPAIxPqH/mIJW9LeBAQGTpgQAqPRw37rWV0u/hfwUQMOcEm2xxLb5/Nbu WXNnvPxXZLEpS3lqXYp08sK9tIzA0+Y9R1vIa0Qd0JAVPG7h5kz2T/KS4WQ8Hl8P EKOI7rkRbLG/FcC+C/oSOrmqmIyUrpZ+vHFFU3rDlNV8Kdvpav5GTQ4I9ZI/B5Dl UPyj92yrnEU= =tIvo -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Protecting publicly reacheable servers (e.g. HTTP)?, (continued)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Emmanuel Adeline (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Marcus J. Ranum (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Adam Shostack (Nov 26)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Stephen P. Berry (Nov 27)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Predrag Zivic (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Frederick M Avolio (Nov 25)
- RE: Protecting publicly reacheable servers (e.g. HTTP)? Jason Lewis (Nov 27)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Steven M. Bellovin (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Yehavi Bourvine +972-2-6585684 (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Stephane Nasdrovisky (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? ark (Nov 26)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? TDyson (Nov 26)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Steven M. Bellovin (Nov 26)