Re: Protecting publicly reacheable servers (e.g. HTTP)?

["Steven M. Bellovin" <smb () research att com>]

In message <5.1.0.14.2.20011125224934.009f56d0@localhost>, "Marcus J. Ranum" wr
ites:
> ark () eltex ru wrote:
> > I am still trying to figure out how to prevent data-driven attacks
> > on proxy level.
>
> I don't think it can be done. The only chance is to be super
> restrictive in what you accept - to the point of accepting
> nothing. If you do that, you generally defeat your objectives
> if you're trying to actually exchange information with
> someone. :(

More precisely, you can filter out known bad things, and try to figure 
out what the right set of good things is that you want to allow in.  
But that latter is very hard -- you don't know all the squirrelly parts 
of the spec that are legal but will break your applications, you don't 
know the nominally-illegal things that are accepted -- and used -- 
anyway, you don't know what will break in the next release of the 
application when the vendor releases a wonderful new bug^H^H^Hfeature,
and -- most important -- you have no assurance that you're going to do 
a better job parsing arbitrarily strange input than the real 
applications do.  After all, no one sets out to write a bad parser.  
The only thing you have going for you is that you *know* there are 
security dangers out there.  That's a non-trivial piece of knowledge, 
but the task ahead of you is still extremely hard, and bordering on the 
impossible.

                --Steve Bellovin, http://www.research.att.com/~smb
                Full text of "Firewalls" book now at http://www.wilyhacker.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards