Re: What firewalls can block Flash?

Tue, 30 May 2000 09:30:39 -0700 

On Tue, 30 May 2000, Graham Wheeler wrote:

> > That was mostly a sideways reference to the periodic claims by fans
> > of "stateful packet filtering" that by writing enough of the IP and
> > application stack in their stateful rules they could do anything
> > that an application proxy does. I wasn't thinking about the
> > possibility that there might be other application proxies available
> > that strip active content.
> 
> Ah, but a stateful filter can also block content (not by removing it,
> but simply by renaming the tags in the packets, for example by changing
> the first character). It's harder to do, as the data stream isn't
> necessarily in-order, but it's been done.

It's _significantly_ harder to do if for instance the tag is embedded in a
commented out block.  Search and destroy on strings requires some
client-alike behaviour if it's to be effective, and packet filters really
aren't up to recreating the stack's behaviour followed by the client's
behaviour without a lot more work than would be prudent.

> It's actually a lot easier to `filter' active content by renaming than
> by actually removing it. I wrote the code in our application proxy that
> removes such content, and it was quite a challenge. I kicked myself
> afterwards when I realised I could have just used renaming.

If you'd have taken a look at the patches to the fwtk that were written at
Hitachi Data Systems years ago, you'd have seen that approach.  I'd argue
that it's critical in shops where people need to be able to examine the
raw HTML that the tags be neutralized rather than omitted.

Also, if you substitute your own tag, you have the opition of building
clients which render things uniquely, and even changing the behaviour of
non-active tags for special purposes.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
[EMAIL PROTECTED]      which may have no basis whatsoever in fact."
                                                                     PSB#9280

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to