Firewall Wizards mailing list archives
RE: Am I dreaming or is there a way to enforce different security Zones at an application layer?
From: "Robert Collins" <robert.collins () itdomain com au>
Date: Thu, 4 Jan 2001 13:57:08 +1100
ICAP is heading in the direction of being able to 'plug in' systems like this to standard proxies - for instance Network Appliance have an iCAP enabled proxy. So implementing your filter as an iCAP server might be fairly easy, and then tie it into your firewall. CVP is a similar protocol to iCAP, but AFAIK it is not heading through a standards process. The reason I mention iCAP is because it is a generic solution to the problem (while it is closely tied to HTTP, ist is not limited to HTTP). It specifies a method of getting the data stream to your modification routines and back again. from a coding point of view you really have two challenges. *Traffic & Data interception *Data modification (while keep protocol level check sums/headers etc valid) you could for instance code your data modification rules into a library, and then use that from your modified proxy(ies). For example in squid there is a patch available to strip animated gifs back to 1 frame. Using the same data access method in the source you could call your library routines. As far as protocols go, the visibility of your changes will depend on how you implement them - you will need a device acting as a proxy or as an intercepting proxy for each protocol (you mention FTP/HTTP/Notes/CIFS (MS networking). I'll assume that you have a router/firewall that can intercept the traffic between the secret storage location and the user retrieving them. (If you are on a LAN, then a bridge style firewall would be needed). So for each protocol you will intercept the traffic; divert it to the proxy, which performs a MITM attack and sends the altered stream on (note this will need to occur in both directions.) for HTTP this is easy to do (web accelerators and intercepting proxies already do most of the work). For HTTPS you may be able to patch squid to act as a SSL MITM attacker. (Some work to allow SSL accleration for web servers is underway and could provide a basis). For FTP , again it's well understood and the protocol doesn't offer signing or encryption so it's easy. For Notes I don't know the protocol - sorry. For CIFS, if data signing is being performed, you will be ok as long as the data requester is not in the same DOMAIN as the server - you will be able to perform a MITM attack. However you will need to build that capability. Perhaps SAMBA would make a good basis? The reason you need to perform MITM attacks on these protocols, is that you want to be invisible to the user - so the user must think you ARE the server. Protocols that have signed/encrypted data streams are difficult to modify without detection once a session is established - that's why starting at the beginning of the communication is important. Once you are in the middle, the first challenge is solved - you have access to the data and are trusted by the client to be the server - so you can generate your own checksums etc. Note that if the secret data, or the web pages/etc have their own internal data verification methods you may still be detected. Just my 0.02c Rob
-----Original Message----- From: David Mackie [mailto:DMackie () ces com au] Sent: Thursday, 4 January 2001 12:21 PM To: 'firewall-wizards () nfr com' Subject: [fw-wiz] Am I dreaming or is there a way to enforce different security Zones at an application layer? I suspect that this would be VERY Hard. I have been asked to find a way to do the following... Intercept an FTP, HTTP stream, file copy or even Notes Database replication do some fancy rules based scanning and send on the traffic. I have thought about using CVP on FW-1 and a modified virus definition file to strip out the unwanted content. This would not help with copying files to a UNC Share and would possibily have problems with notes databases. The other problem that we would have is some destinations could be allowed to get things that are Secret but not REALLY Secret Worse we will share most of our secrets but not ones which are secrets of just me and my mate. I would want to log everything not just attempts to send to invalid destinations. Would I do this by having a Custom Proxy grab the files put them in a gateway directory where we run our tests and then move it to a Mail Slot for delivery if clean/valid. Can you trick HTTP/FTP to respond normally so that the user does not know it is really store and forward? Is this a dream or can someone code this? Regards David _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Am I dreaming or is there a way to enforce different security Zones at an application layer? Robert Collins (Jan 03)