Re: File type filtering (Was: Firewall Solution - 50 Users on SDSL Connection)

[Mikael Olsson <mikael.olsson () clavister com>]

Paul Robertson wrote:
> [file extension filtering...]
> Best done at the application layer- the mail server, and a Web proxy if
> that's appropriate (MIME type filtering is probably the more current
> capability.)  I'd probably hack up Apache's mod_proxy or the fwtk's
> http-gw to get it to do it.  

*meep* everything microsoft ignores mime type. It looks at the
extension first, and *then* at the mine type.

To make matters even worse, it also looks at magic bytes INSIDE
files if it doesn't recognize the file extension (and mime type?
i'm unsure here..).  Try it yourself: save a word document, close
word, rename the file extension from ".doc" to ".foobar". Double
click the file.

Hence, if you have microsoft boxen in your network, the only reliable
solution is whitelisting; deny everything, then allow the cross 
section of allowed mime types AND file extensions.  By cross section 
I mean that the mime type has to be good AS WELL AS the extension. 
Yes, this sucks immensely when you want to receive files without 
extension, which often happens under *nix.

Actually, the situation improves somewhat if you stay away from
IE and Outlook.  Netscape/mozilla and various other apps obey the 
mime type before the extension, which is a Good Thing.  But you
shouldn't be using IE/Outlook to begin with if you want any level
of security ... right?


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards