RE: Am I dreaming or is there a way to enforce different security Zones at an application layer?

["Robert Collins" <robert.collins () itdomain com au>]

ICAP is heading in the direction of being able to 'plug in' systems like
this to standard proxies - for instance Network Appliance have an iCAP
enabled proxy. So implementing your filter as an iCAP server might be
fairly easy, and then tie it into your firewall. CVP is a similar
protocol to iCAP, but AFAIK it is not heading through a standards
process.

The reason I mention iCAP is because it is a generic solution to the
problem (while it is closely tied to HTTP, ist is not limited to HTTP).
It specifies a method of getting the data stream to your modification
routines and back again.

from a coding point of view you really have two challenges.

*Traffic & Data interception 
*Data modification (while keep protocol level check sums/headers etc
valid)

you could for instance code your data modification rules into a library,
and then use that from your modified proxy(ies). For example in squid
there is a patch available to strip animated gifs back to 1 frame. Using
the same data access method in the source you could call your library
routines.

As far as protocols go, the visibility of your changes will depend on
how you implement them - you will need a device acting as a proxy or as
an intercepting proxy for each protocol (you mention FTP/HTTP/Notes/CIFS
(MS networking).

I'll assume that you have a router/firewall that can intercept the
traffic between the secret storage location and the user retrieving
them. (If you are on a LAN, then a bridge style firewall would be
needed).

So for each protocol you will intercept the traffic; divert it to the
proxy, which performs a MITM attack and sends the altered stream on
(note this will need to occur in both directions.)

for HTTP this is easy to do (web accelerators and intercepting proxies
already do most of the work). For HTTPS you may be able to patch squid
to act as a SSL MITM attacker. (Some work to allow SSL accleration for
web servers is underway and could provide a basis). For FTP , again it's
well understood and the protocol doesn't offer signing or encryption so
it's easy. For Notes I don't know the protocol - sorry. For CIFS, if
data signing is being performed, you will be ok as long as the data
requester is not in the same DOMAIN as the server - you will be able to
perform a MITM attack. However you will need to build that capability.
Perhaps SAMBA would make a good basis?

The reason you need to perform MITM attacks on these protocols, is that
you want to be invisible to the user - so the user must think you ARE
the server. Protocols that have signed/encrypted data streams are
difficult to modify without detection once a session is established -
that's why starting at the beginning of the communication is important.

Once you are in the middle, the first challenge is solved - you have
access to the data and are trusted by the client to be the server - so
you can generate your own checksums etc.

Note that if the secret data, or the web pages/etc have their own
internal data verification methods you may still be detected. 

Just my 0.02c
Rob

> -----Original Message-----
> From: David Mackie [mailto:DMackie () ces com au]
> Sent: Thursday, 4 January 2001 12:21 PM
> To: 'firewall-wizards () nfr com'
> Subject: [fw-wiz] Am I dreaming or is there a way to enforce different
> security Zones at an application layer?
>
>
> I suspect that this would be VERY Hard.
>
> I have been asked to find a way to do the following...
>
> Intercept an FTP, HTTP stream, file copy or even Notes 
> Database replication
> do some fancy rules based scanning and send on the traffic.
>
> I have thought about using CVP on FW-1 and a modified virus 
> definition file
> to strip out the unwanted content.
> This would not help with copying files to a UNC Share and 
> would possibily
> have problems with notes databases.
>
> The other problem that we would have is some destinations 
> could be allowed
> to get things that are Secret but not REALLY Secret 
> Worse we will share most of our secrets but not ones which 
> are secrets of
> just me and my mate.
>
> I would want to log everything not just attempts to send to invalid
> destinations.
>
> Would I do this by having a Custom Proxy grab the files put them in a
> gateway directory where we run our tests and then move it to 
> a Mail Slot for
> delivery if clean/valid.
>
> Can you trick HTTP/FTP to respond normally so that the user 
> does not know it
> is really store and forward?
>
> Is this a dream or can someone code this?
>
> Regards
> David
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards