| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] I'm being asked to make this change... Comments? (long)
We have users that access the NCCI website for information. Recently, that
access started failing. This is the response I got from the support staff at
NCCI, and I'm wondering if anyone else has encountered this before or has
any comments on the recommended solution. (Sorry this is so long.)
Thanks,
Geoff
--------------------------------------------------------------------------
NCCI implemented a new authentication product several weeks ago so that we
could better serve our customers. This product runs on our internal
servers and results in addtional cookies being transmitted back to any user
who logs into any of our products. These cookies enable the services to be
personalized for that user and enable NCCI to setup new customer accounts
much more quickly.
The vast majority of our users have not reported any problems since these
changes, however a small group of about 40 companies have not been able to
access these website products since this change. The error they get is
either "Page Cannot be Displayed" in Internet Explorer or "Document
Contains no Data" error in Netscape.
After alot of research we now believe we know what has caused this problem
and how to fix it.
All of the companies we have contacted so far use Checkpoint Firewall-1,
the most popular firewall product. Checkpoint has a HTTP Security Server
which is activated whenever the firewall is configured so that users
authenticate to the firewall or whenever you run any Content Vector
Protocol (CVP) products. CVP products include antivirus products and
products that control or monitor where users go on the Internet. These
products activate the Checkpoint HTTP Security Server whether the firewall
administrator specifically activated it or not.
The Firewall-1 HTTP Security Server proxies the HTTP connection. The
firewall accepts the browser connection and responds to the client. The
firewall then opens a new set of connections of its own to the server. In
making this new connection as proxy the firewall must handle the HTTP
headers. This is done through buffering with a fixed length buffer. The
default header length the firewall security server uses is 1024 bytes. The
HTTP header size for the request to NCCI exceeds this maximum length.
Non-CheckPoint Firewalls and proxies might have the same limitation. It is
not uncommon for header sizes to exceed 1024 bytes. Most web servers
support header sizes up to a maximum header size of 4096 bytes.
We have found so far that the companies who experience problems accessing
our site are using a Checkpoint firewall, have an activated HTTP Security
Server and have not made changes to increase the size of this buffer space
from the default setting of 1024 bytes.
RFC2109, which details the "HTTP State Management Mechanism", states that
systems should provide support for cookies at least 4096 bytes in size.
Here is an excerpt from this document:
"...general-use user agents should provide each of the following minimum
capabilities individually, although not necessarily simultaneously:
* at least 300 cookies
* at least 4096 bytes per cookie (as measured by the size of the
characters that comprise the cookie non-terminal in the syntax description
of the Set-Cookie header)
* at least 20 cookies per unique host or domain name
User agents created for specific purposes or for limited-capacity devices
should provide at least 20 cookies of 4096 bytes, to ensure that the user
can interact with a session-based origin server.
The information in a Set-Cookie response header must be retained in its
entirety. If for some reason there is inadequate space to store the
cookie, it must be discarded, not truncated."
Following the aforementioned changes at NCCI a few weeks ago, NCCI now
sends cookies that are larger than 1024 bytes but are well within the
limits of the HTTP protocol standard. The "Page Cannot be Displayed" error
in Internet Explorer and the "Document Contains no Data" error in Netscape
are caused when a cookie header greater than 1024 bytes is transmitted to
your site. Your HTTP Security Server attempts to parse it for analysis but
it gets truncated due to the small default setting for the buffer. It is
subsequently discarded. The result is "Page Cannot be Displayed" or
"Document Contains no Data" and perhaps even an "Error 10053" error message
in Microsoft Proxy Server, a generic error message that indicates a Winsock
TCPIP connection failure.
Checkpoint has told us that the default setting of 1024 bytes in their HTTP
Security Server has been a "known problem" for almost two years. They
recommend increasing the size of this buffer by manually adding a couple of
lines in the object.c file as follows:
1) stop the firewall
2) backup the existing objects.c file to objects.bak or something similar
3) open objects.c with text editor and search for "http" to make sure the
lines to add in the next step do not already exist
4) Go to the props section of the objects.C file. Create the following
two lines:
:http_max_header_length (x)
:http_max_url_length (x)
Replace 'x' with the desired value (see next paragraph regarding the
suggested value for "x")
5) save the file
6) restart the firewall
7) in the firewall management utility, reapply the firewall security
policy
We recommend that each customer should contact Checkpoint directly before
making any changes to their firewall. However a setting of 4096 would be
the largest setting supported by most web servers and Checkpoint has told
us that adding these two lines to increase the buffer space will not affect
the security or performance of their firewall in any way. An email from a
CheckPoint Support Engineer in the CheckPoint Support Center in Dallas
included the following:
"There are no security or performance implications to making this change
and I believe the the minimum Firewall-1 version that will allow this
change would be 4.0 as that is the least build that we offer support for."
There is further documentation on this two year old "bug" at
http://www.phoneboy.com/fw1. Search Phoneboys Firewall-1 FAQ for "HTTP
Security Server and Long URLs". This documentation incorrectly states
however that the default setting is 2048. Netegrity, who sells and
supports Checkpoint Firewall-1, referred us to this link and confirmed with
Checkpoint that the default setting is in fact 1024 bytes.
Netegrity has reproduced our problem in their lab. After applying the fix
above they were then able to access our site. Several other companies have
also successfully applied this fix.
Please keep in mind that this fix will not just enable your company to
access NCCI services. It will permit your users to successfully access any
other Internet website that generates any headers that exceed 1024 bytes in
length. Netegrity has stated to us that this it is not unusual these days
to encounter such sites.
It is with regret that NCCI asks you to make changes to your firewall. We
would have preferred a solution on our end. We feel however that you will
likely be interested in this fix since it deals with a "known problem"
which is not limited to NCCI's website.
We would appreciate feedback on how you feel about this fix and the results
if implemented.
Regards,
Alan Dougherty
NCCI eBusiness Office
Mail Stop BM 1-12
750 Park of Commerce Drive
Boca Raton, FL 33487-3696FAX
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
