Sounds like a hairy situation. Glad you got out of it. > This is to patch a known vunerability in; surprise, surprise Internet > Explorer : > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0247 (MSDN:: > http://www.microsoft.com/technet/security/Bulletin/MS10-002.mspx > (21JAN2010));
I don't know if "patch" is how I'd describe what these UTM devices do. They frequently overreact + misreact. Same for those one-size-fits-all web IPS shims. They need to be very finely tweaked to fit real apps, and if they lack really granular controls, you have to neuter them completely. Automatic updates, as you've also found, compound the problem unless everyone is in on the schedule. This issue [a] is a CVE candidate, so it should have been in an "optional" or "aggressive" ruleset (if the device has such settings); [b] only affects true IE 6- clients, who could be be quite effectively filtered by User-Agent (again, if the device allowed such adjustments); and [c] should have been an egress rule, protecting the traffic source (see below). > I suspect it's because of our firewall configuration where we > actually have to go outside of the firewall to come back in again. If you have a UTM/IPS device, you have to eat your own dog food to best simulate hits from the outside. It is a best practice to go through your UTM, and if you were literally going outside to come back in ingress, that would be perfect. But my question (or perhaps your description isn't totally clear) is why internal users sound like they were going through through _egress_ filters instead of ingress filters. You should certainly be filtered, but you should access the site as if you were a public user; hence, both inside and outside users should have thought "the website is down." It should have been _less_ obvious where the problem lay! Also, bear in mind that everything was not fine in prod depending on where you were coming from. It was fine if you weren't going through a SonicWall UTM with the latest untweaked ruleset; if your wife were behind the same kind of device, you would not have been so assured. Many people trust Sonic for egress filtering and are still affected unless they have made similar adjustments. But at least that's their fault. :) -- Sandy
