Re: File type filtering (Was: Firewall Solution - 50 Users on SDSL Connection)

[Paul Robertson <proberts () patriot net>]

On Sun, 5 Oct 2003, Mikael Olsson wrote:

> *meep* everything microsoft ignores mime type. It looks at the
> extension first, and *then* at the mine type.

Filtering products shouldn't.  In case it wasn't clear, I was suggesting 
gateway filtering at the application layer.

> Hence, if you have microsoft boxen in your network, the only reliable
> solution is whitelisting; deny everything, then allow the cross 
> section of allowed mime types AND file extensions.  By cross section 
> I mean that the mime type has to be good AS WELL AS the extension. 

If you're going that far, you'll want to nuke the mismatched MIME stuff 
too.

> Actually, the situation improves somewhat if you stay away from
> IE and Outlook.  Netscape/mozilla and various other apps obey the 
> mime type before the extension, which is a Good Thing.  But you
> shouldn't be using IE/Outlook to begin with if you want any level
> of security ... right?

Right.

http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0310&L=ntbugtraq&F=P&S=&P=4202

Says it about as well as it's been said.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards