Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

RE: IIS buffer overflows and firewalls
From: "Michael D. Nickle" <nickle10 () home com>
Date: Thu, 24 May 2001 12:15:19 -0600

-----BEGIN PGP SIGNED MESSAGE-----

This really goes back to something that my dad used to say to me all
time, "Measure twice and cut once".  Except that in our case it
should be bound and context check twice, apply one.  Getting back to
your question though Rick, I'm not so sure that the firewall is the
proper place to make these checks.

There is a multitude of different web server and web application
server products out there.  If we looked at all of the various
combinations we'd see that one app combos buffer overflow is anothers
acceptable URL.  We'd also find quite a few sites that have various
brands o' web server behind the same firewall which further
complicates the rule base.  This is where an application input
validator like the Sanctum or pelican would be very helpful.  They
can also protect from PUT and POST method based attacks.  Of course
some filtering at the firewall layer might not be a bad idea.  How
many sites have actually implemented the CONNECT method?  TRACE?



- -----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Rick Smith at
Secure
Computing
Sent: Friday, May 04, 2001 1:54 PM
To: firewall-wizards () nfr net
Subject: [fw-wiz] IIS buffer overflows and firewalls


Here at SCC there's been talk about the MS bulletin 01-023 that
describes 
the buffer overflow in IIS on Win2K platforms. Here's the MSoft URL:

   http://www.microsoft.com/technet/security/bulletin/MS01-023.asp

Given that you can configure web proxies on Sidewinder, and
presumably on 
other full-function firewalls, to enforce a length limit on URLs
passed 
through HTTP, one should be able to block this particular attack at
the 
firewall.

On the other hand, this implements a somewhat arbitrary restriction
on the 
size of URLs which, if the MS software is ever fixed to handle longer
ones, 
might interfere with future web applications. Since the restriction
is 
implemented in the firewall, it will be difficult (impossible?) for 
developers to discover that the site has implemented a restriction on
URL 
size. They probably wouldn't find out until they try running
applications 
from behind the firewall.

Is there a consensus view on the impact of this type of firewall
filtering 
with respect to the site's Internet applications? While it clearly
can 
serve a "security" purpose, it's different from the more conventional
rules 
that developers encounter -- restrictions on ports, mostly.

How would developers discover that such restrictions exist, or must
they 
wait till they run live tests through the firewall? Any thoughts?

Rick.
smith () securecomputing com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQCVAwUBOw1Pt1BcQyanG24lAQGyNQP/auMRWRIOepgT7m/HHgazVXGH3XyDuQf2
bYCA2peaNrdb+jLYVuYNz3qIvGZI5+Zz4FKtYKjS7LbpOjK0k6fkrf/vdDm7ztpX
eqeQ7B0AHCxPj9rQWrIILdB7VM+CozZA6+cYSNZ0hgjVervYrOPzudUZSVtjE5tM
ho3+2cEgQj8=
=z8Fw
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]