[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Code Red: What security specialist don't mention in war nings
Title: RE: [FW1] Code Red: What security specialist don't mention in warnings I bet
that if you ever try this rule, you will also discover why it is not a good
idea. The HTTP security server does not work very well and when you put
that rule in, it will probably be fine for a good 30 seconds, and then your CPU
% will skyrocket to 100% and stay there. Analysis will reveal that the
in.ahttpd process is the culprit. You are correct in that this technique
is very effective at blocking that string. While I can't say for certain
that the firewall performance was impacted when I had the CPU at 100%, I would
rather not take the chance.
In my
situation we had (Not LocalNets) -> DMZ web servers
->http_resource Drop.
The
only time it would not peg was when we had only one webserver in the
destination. Two webservers or more would peg it.
Hi to all.... >>Patching IIS, >>Dropping all outgoing packets from IIS Servers in the DMZ, >>Using any alternative Web Server to IIS... These are all good solutions.... But lem'me ask u sthg: Why don't u use CP FW' s security server? (Checking with resource...) For example, if Code Red is the case, Why don't u put a rule above all the http-related rules such as; Source
Dest.
Service
Action And the http->with resource service will be defined as a New Resource ---- URI; URI: Connection Methods:Transparent, Proxy (perhaps not so nec. but
doesn't give any headache at least...) Save everythg, and install.... It should be noted that since mostly *.ida is useless, this rule presumably shouldn't harm any Web-Server-based applications...
|