Firewall Wizards mailing list archives
RE: SSL
From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 18 Oct 2001 23:37:12 -0400 (EDT)
On Thu, 18 Oct 2001, R. DuFresne wrote:
This was enlightening, more so then what I'd read and seen privious to going over this, thanks. Reading through the document, it seems perhaps one can block the infection of nimda by not letting tftp traffic through?! Would others agree this would be a way to block infections under the SSL schema Gary outlined?
The HTTP/HTTPS vector is sort of self-contained for the wormy part and for the virus part. At the point you go from worm to virus (server to client) the client machine is infected rather aggressively (ok- *very* aggressively.) Unless I missed some special pre-condition in Gary's explaination, blocking tftp doesn't help one bit for server->client infection (only server->server.) The non-worm viral vector happily infects shares, documents, tries to mail itself with OE, etc. Fortunately the first version didn't seem to cross vectors except at the .eml/.nws infection of Web pages. If you're worrying about the class of problem, it's a lot more serious that it *could* cross vectors trivially using either http/https, share hunting, mass mailing, or viral spreading. If all the infected clients had crossed back to the worm vector via HTTP/S to uninfected servers things would have been significantly worse.
Two further tags one might well key on would be the Admin.dll and README.EML files this worm tries to pushout. This is all assuming of course that the attack vector does not traverse the SSL path to the infected server, which I did not see anything to indicate such in the pdf document.
It infects files that would go via SSL (server to client, not the other way unless you're pushing content to the server via https.) The good news for the specific nimda problem is that you get the URL via the CONNECT method, so you can URL filter on *.eml (and *.nws) if your proxy allows that. Unfortunately, you've only stopped .eml/.nws-using worms, and there are a few more auto-executable content types in the Microsoft world. What you really need is to block everything but htm/html/asp (assuming there's not an .eml rendering trick that you can do in-frame.) I'm still not 100% sure that you couldn't get the EML/NWS through via something else like the class-id thing though. (I'm not sure it ever used .nws for server<->client infection, but it did for client infection, so I'd cover that base anyway.) You don't even get the chance to catch the MIME mismatch via SSL. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SSL, (continued)
- Re: SSL R. DuFresne (Oct 18)
- Re: SSL teo (Oct 18)
- Re: SSL Patrick M. Hausen (Oct 18)
- RE: SSL Stefan Norberg (Oct 18)
- RE: SSL Bruce Platt (Oct 18)
- RE: SSL R. DuFresne (Oct 18)
- RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL R. DuFresne (Oct 18)
- RE: SSL Scott, Richard (Oct 18)
- RE: SSL Illes Marci (Oct 20)
- RE: SSL Ames, Neil (Oct 18)
- RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Chad Schieken (Oct 20)
- RE: SSL Dawes, Rogan (ZA - Johannesburg) (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
- RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
- RE: SSL Paul D. Robertson (Oct 20)