RE: [Full-Disclosure] Sidewinder G2 Thanks and a question or two

["Mike Fratto" <mfratto@nwc.com>]

> >Basically, version 4.1 failed to do actually do HTTP syntax checking
> making
> >the HTTP proxy a generic proxy in function. So all the HTTP protocol 
> >violation style attacks weren't blocked at all. Proved it using tools
> off
> >packetstorm. Told SCC about it and proved it to them as 
> well. Then they 
> >verified the problem and issued a patch some months later.
> >
> 
> This was VERY disturbing. Kind of makes Secure's claim look 
> pretty stupid. Tried it on any other boxes? Apparetntly 
> secure computing expected the web proxy to be in full use. 
> Fortunately, we are a small enough operation to do exactly that. 

I have tested this on subsequent versions and the problem has not resurface.
It was a bug that was corrected. I have also tested the HTTP, FTP, SMTP,
DNS, SQL*Net proxies for protocol violations, overlly long headers
(configurable in the proxy settings to some extent), proprely handling
dynamic protocls like ftp and SQL*Net and everything worked as advertised.
There are, of course, limitations in the proxies and won't stop all attacks,
but I am pretty confident that it will block attacks passing through the
firewall that violate the protocol.

>They seem very confident about 
> the integrity of their jails and told me I had nothing to 
> worry about even if a hacker broke into a root shell in one 
> of them. I am not convinced that this would be, to quote the 
> late great Douglas Addams, "mostly harmless".

If you want to get a look at type-enforcement, grab a copy of SE linux
http://www.nsa.gov/selinux/. Secure computing secos is the foundation of it.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html