|
Firewall Wizards
mailing list archives
RE: IIS buffer overflows and firewalls
From: "Michael D. Nickle" <nickle10 () home com>
Date: Thu, 24 May 2001 12:15:19 -0600
-----BEGIN PGP SIGNED MESSAGE-----
This really goes back to something that my dad used to say to me all
time, "Measure twice and cut once". Except that in our case it
should be bound and context check twice, apply one. Getting back to
your question though Rick, I'm not so sure that the firewall is the
proper place to make these checks.
There is a multitude of different web server and web application
server products out there. If we looked at all of the various
combinations we'd see that one app combos buffer overflow is anothers
acceptable URL. We'd also find quite a few sites that have various
brands o' web server behind the same firewall which further
complicates the rule base. This is where an application input
validator like the Sanctum or pelican would be very helpful. They
can also protect from PUT and POST method based attacks. Of course
some filtering at the firewall layer might not be a bad idea. How
many sites have actually implemented the CONNECT method? TRACE?
- -----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Rick Smith at
Secure
Computing
Sent: Friday, May 04, 2001 1:54 PM
To: firewall-wizards () nfr net
Subject: [fw-wiz] IIS buffer overflows and firewalls
Here at SCC there's been talk about the MS bulletin 01-023 that
describes
the buffer overflow in IIS on Win2K platforms. Here's the MSoft URL:
http://www.microsoft.com/technet/security/bulletin/MS01-023.asp
Given that you can configure web proxies on Sidewinder, and
presumably on
other full-function firewalls, to enforce a length limit on URLs
passed
through HTTP, one should be able to block this particular attack at
the
firewall.
On the other hand, this implements a somewhat arbitrary restriction
on the
size of URLs which, if the MS software is ever fixed to handle longer
ones,
might interfere with future web applications. Since the restriction
is
implemented in the firewall, it will be difficult (impossible?) for
developers to discover that the site has implemented a restriction on
URL
size. They probably wouldn't find out until they try running
applications
from behind the firewall.
Is there a consensus view on the impact of this type of firewall
filtering
with respect to the site's Internet applications? While it clearly
can
serve a "security" purpose, it's different from the more conventional
rules
that developers encounter -- restrictions on ports, mostly.
How would developers discover that such restrictions exist, or must
they
wait till they run live tests through the firewall? Any thoughts?
Rick.
smith () securecomputing com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQCVAwUBOw1Pt1BcQyanG24lAQGyNQP/auMRWRIOepgT7m/HHgazVXGH3XyDuQf2
bYCA2peaNrdb+jLYVuYNz3qIvGZI5+Zz4FKtYKjS7LbpOjK0k6fkrf/vdDm7ztpX
eqeQ7B0AHCxPj9rQWrIILdB7VM+CozZA6+cYSNZ0hgjVervYrOPzudUZSVtjE5tM
ho3+2cEgQj8=
=z8Fw
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
|
Intro
