Firewall Wizards mailing list archives
Re: on-the-fly-analysis vs. proxy rewrites
From: Dave Piscitello <dave () corecom com>
Date: Thu, 09 Feb 2006 11:50:14 -0500
Hawkins, Michael wrote:
What about trying to deal with http which has almost no bounds? There are two many possible uri's. All of the proxies I've looked (and that's not many) do very little in the way of breaking down the uri and handling those various subcomponents (such as java script, activex, dll's even). It's usually block all java script (useless) or let it all through (worse than useless).
Some proxies permit whitelisting of java scripts.
And what do you do when there are hundreds of nasty DLL's in paths and hundreds of good ones. I mean, where do you start?
Not trying to be funny, but what DLLs do you permit inbound to any desktop in your organization, and why?
I'm quite successful blocking all dll, vbs, exe, ... and I have convinced a number of clients to do the same. If I/we must, I/we whitelist by type and origin. Do I/we piss people off? Of course. Does such a Draconian measure hamper productivity? Not often.
And with all the other demands placed upon my valuable time and resource, how on earth could someone possibly be expected to parse and control every nuance within the realm of http? What about parsing the query? What's safe? What's not?
No admin, staffer or *SO should be expected to do this. There is a growing market for http proxies that can do this. Most of the proxies I know can only partially address the problem, which is what you might expect when attempting to solve an unbounded problem.
I feel that the horse has already bolted on that one.
The fact that
Attachment:
dave.vcf
Description:
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- on-the-fly-analysis vs. proxy rewrites Behm, Jeffrey L. (Feb 07)
- Re: on-the-fly-analysis vs. proxy rewrites Gabriele Buratti (Feb 08)
- Re: on-the-fly-analysis vs. proxy rewrites Darren Reed (Feb 08)
- <Possible follow-ups>
- RE: on-the-fly-analysis vs. proxy rewrites Behm, Jeffrey L. (Feb 08)
- Message not available
- RE: on-the-fly-analysis vs. proxy rewrites Marcus J. Ranum (Feb 08)
- Message not available
- Re: on-the-fly-analysis vs. proxy rewrites Darren Reed (Feb 19)
- RE: on-the-fly-analysis vs. proxy rewrites Hawkins, Michael (Feb 09)
- Re: on-the-fly-analysis vs. proxy rewrites Dave Piscitello (Feb 09)
- Message not available
- RE: on-the-fly-analysis vs. proxy rewrites Marcus J. Ranum (Feb 09)
- Re: on-the-fly-analysis vs. proxy rewrites ArkanoiD (Feb 19)