Hawkins, Michael wrote:
> What about trying to deal with http which has almost no bounds? There
> are two many possible uri's. All of the proxies I've looked (and that's
> not many) do very little in the way of breaking down the uri and
> handling those various subcomponents (such as java script, activex,
> dll's even). It's usually block all java script (useless) or let it all
> through (worse than useless).
Some proxies permit whitelisting of java scripts.
> And what do you do when there are hundreds of nasty DLL's in paths and
> hundreds of good ones. I mean, where do you start?
Not trying to be funny, but what DLLs do you permit inbound to any
desktop in your organization, and why?
I'm quite successful blocking all dll, vbs, exe, ... and I have
convinced a number of clients to do the same. If I/we must, I/we
whitelist by type and origin. Do I/we piss people off? Of course. Does
such a Draconian measure hamper productivity? Not often.
> And with all the other demands placed upon my valuable time and
> resource, how on earth could someone possibly be expected to parse and
> control every nuance within the realm of http? What about parsing the
> query? What's safe? What's not?
No admin, staffer or *SO should be expected to do this. There is a
growing market for http proxies that can do this. Most of the proxies I
know can only partially address the problem, which is what you might
expect when attempting to solve an unbounded problem.
> I feel that the horse has already bolted on that one.
The fact that
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 09 2006
Intro
