On 9/21/05, A Rossi <[EMAIL PROTECTED]> wrote: > I was thinking of payload inspection as a way to check to see if the payload > contains requested data (like HTML, or mp3 or whatever the user is > downloading) to make sure that it doesn't contain infected data (with a worm > or such) that is piggybacking on legitimate data.
A couple of things. When malicious code attaches itself to other data, it's generally called a virus. When they transmit themselves autonomously, they're called worms. Secondly, how in the world would you know if returned information is "what the user requested"? Seems like the user makes a query, and data comes back, and there's no other source of information on which you could make a determination. For example, I do an HTTP request like this: GET /cgi-bin/whatever.pl HTTP/1.0 And in return I get a 5k ASCII document of MIME type text/plain. Is that what I requested? Seems like you're getting into mind-reading and "do what I mean, not what I say" territory here. And that's just HTTP. Packet-by-packet regex is a dumb idea, but I don't exactly see how it isn't "secure", apart from implementation errors (e.g. buffer overflow) and some DoS issues (both endemic to all network applications). It won't do what you want, but that's not really a security issue, as it's more of an expectation problem on the part of the people who request this. Given how much data crosses a firewall, I think a short pattern like ".mp3" would match far too many innocuous connections. Certain network operations would just fail in some way, and you would end up with a user base that started to blame your firewall for everything. If you want layer 7 inspection, and you want to do it right, don't use a layer 3 device, get an IDS/IPS. It's hard enough to do right at layer 7, and playing games at layer 3 will only give you a false sense of security. -- http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
