> >Basically, version 4.1 failed to do actually do HTTP syntax checking > making > >the HTTP proxy a generic proxy in function. So all the HTTP protocol > >violation style attacks weren't blocked at all. Proved it using tools > off > >packetstorm. Told SCC about it and proved it to them as > well. Then they > >verified the problem and issued a patch some months later. > > > > This was VERY disturbing. Kind of makes Secure's claim look > pretty stupid. Tried it on any other boxes? Apparetntly > secure computing expected the web proxy to be in full use. > Fortunately, we are a small enough operation to do exactly that.
I have tested this on subsequent versions and the problem has not resurface. It was a bug that was corrected. I have also tested the HTTP, FTP, SMTP, DNS, SQL*Net proxies for protocol violations, overlly long headers (configurable in the proxy settings to some extent), proprely handling dynamic protocls like ftp and SQL*Net and everything worked as advertised. There are, of course, limitations in the proxies and won't stop all attacks, but I am pretty confident that it will block attacks passing through the firewall that violate the protocol. >They seem very confident about > the integrity of their jails and told me I had nothing to > worry about even if a hacker broke into a root shell in one > of them. I am not convinced that this would be, to quote the > late great Douglas Addams, "mostly harmless". If you want to get a look at type-enforcement, grab a copy of SE linux http://www.nsa.gov/selinux/. Secure computing secos is the foundation of it. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
