[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: Re: [Sidewinder] Protocol violations
From: Sidewinder moderated discussion list <sidewinder () adeptech ! com>
Date: 2009-11-04 19:49:27
Message-ID: 9cf1ed360911041149j616e1706s50d0418420721b6 () mail ! gmail ! com
[Download RAW message or body]
In looking at the documentation (page 295 of the 7.0.1.02 admin guide) it
looks like bumping the inspection slider down to "Partial" disables virus
scanning which is not desirable for us (unless we use a destination group
which brings us back to where we are now).
Still, you do raise good points and I think I'll try replacing my packet
filter rule with a dialed-down http proxy rule and see if it still works.
Same level of manual effort as now to fix broken sites but like you point
out it will be more secure than the packet filter.
If only I could turn off certain protocol checks!
Jason
On Wed, Nov 4, 2009 at 2:12 PM, Sidewinder moderated discussion list <
sidewinder@adeptech.com> wrote:
> There are several levels of reduced enforcement you can set. I have
> several rules set up on my firewalls with a different source group for each
> one with different settings. I should qualify my comments by noting that I
> only have version 7 firewalls now. I started with Sidewinders when the G2
> (version 6.0) had just been released.
>
> The first level I try is using the "Relax protocol enforcements" check box
> in an HTTP App Defense. That's my first try. If that doesn't get it, I go
> the next step, which is to leave Relaxed enforcement on, and also move the
> Inspection "lever" from Full to the middle setting in the rule definition.
> According to the note for this setting, "The security-context 'filtering'
> aspects of the application defense are not enforced. Application layer data
> is examined to the minimum degree necessary to perform 'proxy' activities as
> defined by said protocol." My final proxy-based attempt to bypass broken
> sites is to use another rule to turn that lever all the way to None. This
> setting states, "No settings in the application defense are enforced.
> Behaves like a transparent layer relay." This still allows some improved
> security over a packet filter. The final thing to do is what you were
> doing: use a packet filter rule.
>
> This level of pickiness is more of a hassle, but to me it's worth it in
> using the best security possible to allow the trusted site to work.
>
>
> --------------------
> Matthew Harrell
> CSO
> Plex Systems
> mhar@plex.com
> ________________________________________
> From: sidewinder-bounces@adeptech.com [sidewinder-bounces@adeptech.com] On
> Behalf Of Sidewinder moderated discussion list [sidewinder@adeptech.com]
> Sent: Wednesday, November 04, 2009 1:01 PM
> To: sidewinder@adeptech.com
> Subject: Re: [Sidewinder] Protocol violations
>
> Well the"Relax protocol enforcements" did help reduce a lot of the noise
> but
> it still doesn't allow some of the traffic we've had actual problems with
> (for example "multipart/mimetype has invalid separator string" violations
> actually prevent users from uploading content to necessary websites). I
> guess I'll stick with the whitelist approach for now in the hopes that some
> type of finer-grained control will come in the future.
>
> Thanks again for the suggestion.
>
> Jason
>
> On Wed, Nov 4, 2009 at 11:01 AM, Jason Podhorez <jpodhorez@gmail.com>
> wrote:
>
> > Yes, I think that's exactly what I'm looking for (weird that support knew
> > exactly what I was talking about but didn't suggest this to fix it).
> I'll
> > try it and see if it works. Thanks!
> >
> >
> > On Wed, Nov 4, 2009 at 10:50 AM, Sidewinder moderated discussion list <
> > sidewinder@adeptech.com> wrote:
> >
> >> At least in V6, the only place is in the Application Defenses ("Web" by
> >> default) -- and all it allows which side you relax enforcement for
> (Client
> >> or Server).
> >>
> >> (... and don't call me Shirley ... ;^) )
> >>
> >> > After my initial post it also occurred to me that Microsoft ISA Server
> >> >(software firewall) as early as 2004 had the ability to specify which
> >> parts
> >> >of protocol RFCs to enforce/ignore. Surely there must be a way to dial
> >> it
> >> >down if we don't have the need to enforce certain aspects.
> >> _______________________________________________
> >> Sidewinder mailing list
> >> Sidewinder@adeptech.com
> >> http://mail.adeptech.com/mailman/listinfo/sidewinder
> >>
> >
> >
> _______________________________________________
> Sidewinder mailing list
> Sidewinder@adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
> _______________________________________________
> Sidewinder mailing list
> Sidewinder@adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
>
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic