Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: on-the-fly-analysis vs. proxy rewrites
From: Dave Piscitello <dave () corecom com>
Date: Thu, 09 Feb 2006 11:50:14 -0500

Hawkins, Michael wrote:
What about trying to deal with http which has almost no bounds? There
are two many possible uri's. All of the proxies I've looked (and that's
not many) do very little in the way of breaking down the uri and
handling those various subcomponents (such as java script, activex,
dll's even). It's usually block all java script (useless) or let it all
through (worse than useless).

Some proxies permit whitelisting of java scripts.

And what do you do when there are hundreds of nasty DLL's in paths and
hundreds of good ones. I mean, where do you start?

Not trying to be funny, but what DLLs do you permit inbound to any desktop in your organization, and why?

I'm quite successful blocking all dll, vbs, exe, ... and I have convinced a number of clients to do the same. If I/we must, I/we whitelist by type and origin. Do I/we piss people off? Of course. Does such a Draconian measure hamper productivity? Not often.

And with all the other demands placed upon my valuable time and
resource, how on earth could someone possibly be expected to parse and
control every nuance within the realm of http? What about parsing the
query? What's safe? What's not?

No admin, staffer or *SO should be expected to do this. There is a growing market for http proxies that can do this. Most of the proxies I know can only partially address the problem, which is what you might expect when attempting to solve an unbounded problem.

I feel that the horse has already bolted on that one.

The fact that

Attachment: dave.vcf

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]