Re: RE: [fw-wiz] Layer 3-7 Firewall.

From: broyds@rogers.com
Date: 03/19/03

  • Next message: Perrymon, Josh L.: "RE: [fw-wiz] PIX split tunneling"
    From: <broyds@rogers.com>
    To: "Ben Nagy" <ben@iagu.net>, <Firewall-Wizards@Compucenter.org>, "'Firewall Wizards List'" <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 19 Mar 2003 12:36:09 -0500
    

    An example of a true L7 aware firewall is the Symantec Enterprise Firewall. I tested ours against useage of WebDAV extensions this morning and got this message (using sam spade):

    03/19/03 12:31:28 Browsing http://www.xxx.xxx.ca
    Fetching http://www.xxx.xxx.ca/ ...
    OPTIONS / HTTP/1.1

    Host: www.xxx.xxx.ca

    Connection: close

    User-Agent: Sam Spade 1.14

    HTTP/1.1 501 Not Implemented

    MIME-Version: 1.0

    Server: Simple, Secure Web Server 1.1

    Date: Wed, 19 Mar 2003 17:31:28 GMT

    Connection: close

    Content-Type: text/html

    <HTML>
    <HEAD><TITLE>Firewall Error: Not Implemented</TITLE></HEAD>
    <BODY>
    <H1>Not Implemented</H1>
    The method that your browser attempted to use is either not allowed by the
    firewall or unknown to the firewall.
    <br>
    One of the following may be the reason for this error:
    <UL>
    <LI>Your browser attempted to perform an illegal operation,</LI>
    <LI>The form on the web page that was just executed contains an illegal <i>
    action</i>, or</LI>
    <LI>The firewall does not yet support the features required by the requested
    URL.</LI>
    </UL>
    <BR>
    The request seen by the firewall was:
    <PRE>
            OPTIONS / HTTP/1.1

    Host: www.xxx.xxx.ca

    Connection: close

    User-Agent: Sam Spade 1.14

    </PRE>
    </body></HTML>

    It allows HTTP GET and POST without problem (but verifies that strings are in bounds etc.)

    Simple SPI only ensures that the traffic stream is valid TCP. Checkpoint has an extra module that validates HTTP to some extent, acting as a true application proxy, but many sites don't use it because it reduces speed.
      

    >
    > From: "Ben Nagy" <ben@iagu.net>
    > Date: 2003/03/19 Wed AM 10:12:56 EST
    > To: <Firewall-Wizards@Compucenter.org>,
    > "'Firewall Wizards List'" <firewall-wizards@honor.icsalabs.com>
    > Subject: RE: [fw-wiz] Layer 3-7 Firewall.
    >
    > > -----Original Message-----
    > > From: firewall-wizards-admin@honor.icsalabs.com
    > > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > > Of George J. Jahchan
    > [...]
    > > Is there a SPI firewall out there that is application-layer protocol
    > > aware?
    >
    > Is there one that isn't?
    >
    > (FTP can't work without layer 7 "awareness" for example)
    >
    > Also, SPI is a Checkpoint word, and it is certainly L7 "aware" (whether
    > it uses this awareness to measurably increase security is another
    > question....)
    >
    > Perhaps you could clarify exactly what you mean? I don't want to sound
    > glib, but the marketeers have made this kind of discussion treacherous
    > unless we all know that we're talking about exactly the same question.
    >
    > ben
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Perrymon, Josh L.: "RE: [fw-wiz] PIX split tunneling"

    Relevant Pages

    • Re: I am having connectivity problems
      ... firewall and turned ON Windows firewall. ... When I tried to install SP2 I was unable to get it thru Windows Update. ... does the connection problem persist? ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: Serious Security Issue in Windows XP SP2s Firewall
      ... Subject: AW: Serious Security Issue in Windows XP SP2's Firewall ... If you update a WinXP SP-1 with enabled Internet ... Connection Firewall ...
      (Focus-Microsoft)
    • RE: Serious Security Issue in Windows XP SP2s Firewall
      ... file and printer sharing is available for network login from any network (I ... Internet Connection Sharing of the PC has to be disabled." ... Serious Security Issue in Windows XP SP2's Firewall ...
      (Focus-Microsoft)
    • Re: Still cant connect to RWW or OWA remotely
      ... No, I don't have a 3rd party firewall, and it's a pretty plain vanilla WinXP ... Connected to the network like the other workstations, ... I could go to any workstation and connect to them just fine. ... match the broadband connection, the two NIC firewall, the remote ...
      (microsoft.public.windows.server.sbs)
    • Re: Big hole??
      ... > firewall then even they can't get in, ... > supposedly safe SP2 for Windows XP invites any Internet ... > Connection Sharing of the PC has to be disabled. ... > in fact is a common configuration and not a rare sight. ...
      (microsoft.public.windowsxp.general)