Firewall Wizards mailing list archives

Re: Protecting publicly reacheable servers (e.g. HTTP)?

From: ark () eltex ru
Date: Mon, 26 Nov 2001 15:10:39 +0300

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

So the answer is "it is almost impossible, though some commercial applications
claim to do that".

I intentionally left signature-based known attack prevention aside because it
is not the proper way and it seems to be easy to bypass in most cases.

I've found no details on how Sanctum's proxy does work and rWeb configuration
seems to be pretty complicated - there is no whitepaper describing general
design philosophy but if i get things correctly it allows "manual" configuration
where you describe what is allowed and what is not and "authomatic" where you 
do parse http server log file and create some heuristics-based rules.

So how should the reverse proxy work:

1) "standardize" request. bring it to some certain form - convert all
quoting/encoding types to one (or one of a few), drop unknown headers, check if
known ones have correct syntax

2) analyze request. 
What can we do here dealing with unknown attacks?

Directory traversal - how do we distinguish pretty legal directory traversal
(../../picture.jpg) from malicious one? Limit depth or something?
That's not enough i  think, we need a different approach.

Application-specific like those IIS bugs - most are prevented on step 1,
but what about those that are not? 
 
Generic CGI,PHP etc bugs, SQL insertion, etc etc - can we categorize it to
develop out some heuristics that will fit future ones?

Does log analysis approach like rWeb implements (?) provide good results?
Can we sort out that "our server provides static content from directiories
x,y,z and has scripts a and b that take argument c (numeric) and d (string
no longer that n and containing no non-alphanumeric characters)" and 
enforce that on proxy? 

Will all of the above work together good enough to prevent, say, 70..85% of
future yet unknown attacks? That's quite a reasonable rate for a tool to exist
- - the proper way for preventing known attacks is to fix the application software 
;)

                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQCVAwUBPAIxPqH/mIJW9LeBAQGTpgQAqPRw37rWV0u/hfwUQMOcEm2xxLb5/Nbu
WXNnvPxXZLEpS3lqXYp08sK9tIzA0+Y9R1vIa0Qd0JAVPG7h5kz2T/KS4WQ8Hl8P
EKOI7rkRbLG/FcC+C/oSOrmqmIyUrpZ+vHFFU3rDlNV8Kdvpav5GTQ4I9ZI/B5Dl
UPyj92yrnEU=
=tIvo
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Protecting publicly reacheable servers (e.g. HTTP)?, (continued)
- - Re: Protecting publicly reacheable servers (e.g. HTTP)? Emmanuel Adeline (Nov 25)
  - Re: Protecting publicly reacheable servers (e.g. HTTP)? Marcus J. Ranum (Nov 25)
    - Re: Protecting publicly reacheable servers (e.g. HTTP)? Adam Shostack (Nov 26)
    - Re: Protecting publicly reacheable servers (e.g. HTTP)? Stephen P. Berry (Nov 27)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Predrag Zivic (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Frederick M Avolio (Nov 25)
- RE: Protecting publicly reacheable servers (e.g. HTTP)? Jason Lewis (Nov 27)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Steven M. Bellovin (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Yehavi Bourvine +972-2-6585684 (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Stephane Nasdrovisky (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? ark (Nov 26)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? TDyson (Nov 26)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Steven M. Bellovin (Nov 26)