Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: File type filtering (Was: Firewall Solution - 50 Users on SDSL Connection)

From: ark () eltex net
Date: Mon, 6 Oct 2003 18:33:27 +0400
We (Advascan.com) run a filter that checks actual content and mime type match.

Hell, what a weird stuff do software developers put in mime headers! 
Even hardcoded typos
(some software keeps sending content type x-mxexcel (sic!) and almost no
one cares that vendor-specific content should go as vnd*).

We don't give up this type of content filtering, though, because it 
seems to be highly effective when catching unknown worms and troyans.

The proper way is to "fix" mime headers to make them matching the content
and apply filtering policy then.

On Sun, Oct 05, 2003 at 11:30:29AM -0400, Paul Robertson wrote:

On Sun, 5 Oct 2003, Mikael Olsson wrote:


*meep* everything microsoft ignores mime type. It looks at the
extension first, and *then* at the mine type.


Filtering products shouldn't.  In case it wasn't clear, I was suggesting 
gateway filtering at the application layer.


Hence, if you have microsoft boxen in your network, the only reliable
solution is whitelisting; deny everything, then allow the cross 
section of allowed mime types AND file extensions.  By cross section 
I mean that the mime type has to be good AS WELL AS the extension. 


If you're going that far, you'll want to nuke the mismatched MIME stuff 
too.


                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: