On Tue, 24 Apr 2001, Carl E. Mankinen wrote:
> The reason to get use this type of URL is to get around filters like WebSense or to
>make it harder for people to use tools like
> ARIN/WHOIS etc, to report abuse.
Neither of which is a security situation. I'm quite aware of the reasons
for the use of a non-dotted quad decimal address in something like a URL,
I was questioning directly the supposition that there were "many" security
products with failure modes where it would lead to a security problem.
The statement I wanted clarification on was:
"This actually has a lot of relevance since dword conversion is a
convenient way to subvert many of our security systems."
> I am sure the LATEST version of WebSense blocks this, but when I did testing with
>versions prior to 4.3
> and several other filtering products, I found that the blocking did not always work:
URL filtering products didn't used to do UNICODE blocking either, which is
why I specificly singled them out thusly:
> > Can you quantify "many" for us, since outside of URL filters (which if
> > someone's calling them a security system, is specious at best) I can't
> > think of anything that cares what the address looks like at the command
> > line that would allow for "subversion" (I can imagine perhaps packet
Once again, I'd love to see evidence of an actual security product where
this creates a vulnerability. That was (from my reading) the point that
was attempted to be made, and I'd just like to see some evidence of it in
the real world. I've spent an incredible ammount of time on failure modes
in systems, both security and non-security related, and I can't see a
security related failure mode where this results in anything other than a
self-DoS for reflexive packet filtering products in protocols that aren't
the best thing to pass through a firewall. I don't generally look at
things like PPTP though, so if there's a failure mode in there from client
or server-generated addressing, I'm most certainly interested in what it
might be.
Given the lack of good design we've seen in tunneling products
over the last few years, it's always possible that I've missed something
silly like another VPN product[0] taking the client's word for what
address it's coming from even if it says loopback- or similar issue- so
I'm genuinely interested in if Mr. Renner has something substantial to say
on the issue, or if it's just "censorship == security" in Marysville. The
reason it was a reply that copied the list is that if it was something
vuln-wise that was circulating, it's just possible that I might pick up more
information from other sources.
I imagine that when someone makes the statement "many security products"
in a context such as that, either there's a firewall issue, perhaps a Web
server vhost permission issue, or they're considering "Censorware"
products to be security systems. If it's one of the former, then I'd like
to know what I've missed in my analyses of such products. If it's the
latter, then I'd like to point out to them that the emperor is nekkid[1].
Paul
[0] Of course, I'm not at all convinced that VPNs should be allowed
to be sold as security products either.
[1] It's ok, he's a penguin.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
