Firewall Wizards mailing list archives
RE: Re: Air Gaps vs. Firewalls
From: Rick Smith <rick_smith () securecomputing com>
Date: Tue, 03 Oct 2000 15:50:58 -0500
At 02:57 PM 10/1/00, rreiner () fscinternet com wrote:
Yep. You can configure an eGap to limit the length, or the contents (via full regex matching) of an URL, any query-string data (e.g. from HTTP GET), and any field in an HTTP POST body (i.e. the user-supplied data filled into an HTML form). You can't do that with other, simpler, HTTP proxies. And the eGap box makes it pretty easy. Certainly much easier than hand-crafting validation logic in ASP/PHP/Perl/whatever.
In other words you're trying to restrict the URLs *at the firewall* to match the anticipated properties of the web applications being restricted on one side or the other. This sounds very similar to strategies we tried with DBMS proxies a few years back.
The strategy yields a tricky engineering problem -- you have to keep the proxy rules perfectly synchronized with the application software. If you tighten the proxy rules too much, they get brittle and 'break' the application. If you don't tighten them enough, they let attacks through. In practice it's almost impossible to hit the 'sweet spot.'
You can't expect sysadmins to do this and I'm not sure the application developers could do it, either.
Since the typical ASP-coder errors are things like improper validation of forms data, with consequences such as allowing user-crafted SQL queries to execute, an eGap admin can work from the same spec as the developers and provide independant validation of user-entered data, and thereby enforce a nicely localized set of controls wrapped around the application code.
This is a surprise to me. Do web site developers really work with specs that would clearly define the possible values flowing through a URL? Is this common anywhere except perhaps the most sophisticated sites? Even if one has such specs, wouldn't it make more sense to use those specs to automatically generate range and type checking code at the server end?
If the developers make some effort to validate properly too, that's all the better... but you no longer have to rely on their code (all too often written under time pressure and not properly reviewed) as your sole layer of defence.
Another approach that addresses these problems but has not prospered in the marketplace is to run the web server on a host with some sort of mandatory access control. We offered such a thing on Sidewinder for a while, and HP offers something similar as "Virtual Vault." It's a lot easier to detect an intrusion by monitoring the behavior of the process being penetrated. We used to run the classic bug-filled version of sendmail and could demonstrate how it blocked penetrations through sendmail's holes.
Rick. smith () securecomputing com _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Air Gaps vs. Firewalls Mike Bobbitt (Oct 01)
- Re: Air Gaps vs. Firewalls Mikael Olsson (Oct 01)
- <Possible follow-ups>
- RE: Re: Air Gaps vs. Firewalls rreiner (Oct 03)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- Re: Re: Air Gaps vs. Firewalls Chuck Swiger (Oct 04)
- Log monitoring / alerting Jean Caron (Oct 09)
- RE: Re: Air Gaps vs. Firewalls Ryan Russell (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Frederick M Avolio (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)