Firewalls-Digest writes: > > On Tue, 24 Apr 2001, Carl E. Mankinen wrote: > >> The reason to get use this type of URL is to get around filters like WebSense or to >make it harder for people to use tools like >> ARIN/WHOIS etc, to report abuse. > > Neither of which is a security situation. I'm quite aware of the reasons > for the use of a non-dotted quad decimal address in something like a URL, > I was questioning directly the supposition that there were "many" security > products with failure modes where it would lead to a security problem. > > The statement I wanted clarification on was: > > "This actually has a lot of relevance since dword conversion is a > convenient way to subvert many of our security systems." > >> I am sure the LATEST version of WebSense blocks this, but when I did testing with >versions prior to 4.3 >> and several other filtering products, I found that the blocking did not always work: > > URL filtering products didn't used to do UNICODE blocking either, which is > why I specificly singled them out thusly: > >> > Can you quantify "many" for us, since outside of URL filters (which if >> > someone's calling them a security system, is specious at best) I can't >> > think of anything that cares what the address looks like at the command >> > line that would allow for "subversion" (I can imagine perhaps packet > > Once again, I'd love to see evidence of an actual security product where > this creates a vulnerability. That was (from my reading) the point that > was attempted to be made, and I'd just like to see some evidence of it in > the real world. I've spent an incredible ammount of time on failure modes > in systems, both security and non-security related, and I can't see a > security related failure mode where this results in anything other than a > self-DoS for reflexive packet filtering products in protocols that aren't > the best thing to pass through a firewall. I don't generally look at > things like PPTP though, so if there's a failure mode in there from client > or server-generated addressing, I'm most certainly interested in what it > might be. > One particularly well known internet browser incorrectly treated a DWORD address as an intranet address (since it didn't contain any '.' characters), and therefore used the least restrictive security settings, potentially allowing actions to be taken which the user would have assumed would have been blocked by the more restrictive security setting. It has been fixed in more recent versions - but nevertheless, it is a real security example. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
