NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Code Red: What security specialist don't mention in war nings



Title: RE: [FW1] Code Red: What security specialist don't mention in warnings
No sir, you' re absolutely wrong or missing s.thg.
 
I' m using that rule for about two weeks, and also such similar rules (not only http, but also smtp-resource, etc...) for a long time. Alas! No CPU bottleneck, or other performance problems, no pegging' , etc.. Oh by the way, The FW module is on Nokia IP650.
 
I always preach what I practice!.............
-----Original Message-----
From: Luke, Jason (ISS Southfield) [mailto:[email protected]]
Sent: Tuesday, August 07, 2001 5:25 PM
To: 'METE EMINAGAOGLU (IT)'; [email protected]
Subject: RE: [FW1] Code Red: What security specialist don't mention in war nings

I bet that if you ever try this rule, you will also discover why it is not a good idea.  The HTTP security server does not work very well and when you put that rule in, it will probably be fine for a good 30 seconds, and then your CPU % will skyrocket to 100% and stay there.  Analysis will reveal that the in.ahttpd process is the culprit.  You are correct in that this technique is very effective at blocking that string.  While I can't say for certain that the firewall performance was impacted when I had the CPU at 100%, I would rather not take the chance.
In my situation we had  (Not LocalNets) ->  DMZ web servers ->http_resource  Drop.
The only time it would not peg was when we had only one webserver in the destination.  Two webservers or more would peg it.
 
-----Original Message-----
From: METE EMINAGAOGLU (IT) [mailto:[email protected]]
Sent: Monday, August 06, 2001 9:22 AM
To: 'Carl E. Mankinen'; Wolfgang Kueter; [email protected]
Subject: RE: [FW1] Code Red: What security specialist don't mention in war nings

Hi to all....

>>Patching IIS,

>>Dropping all outgoing packets from IIS Servers in the DMZ,

>>Using any alternative Web Server to IIS...

These are all good solutions....


But lem'me ask u sthg:

Why don't u use CP FW' s security server? (Checking with resource...)

For example, if Code Red is the case,

Why don't u put a rule above all the http-related rules such as;

Source      Dest.           Service                             Action
Any           Any             http->with resource           Drop

And the http->with resource service will be defined as a New Resource ---- URI;

URI:

Connection Methods:Transparent, Proxy (perhaps not so nec. but doesn't give any headache at least...)
Schemes: http (only this will be enough..)
Methods: all (so as to guarantee...)
Host:*
Path:{*/default.ida?*}
Query:*

Save everythg, and install....

It should be noted that since mostly *.ida is useless, this rule presumably shouldn't harm any Web-Server-based applications...




 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.