Re: [fw-wiz] File type filtering (Was: Firewall Solution - 50 Users on SDSL Connection)

ark_at_eltex.net
Date: 10/06/03

  • Next message: Christopher Hicks: "Re: [fw-wiz] Personal Firewall Day?"
    To: Paul Robertson <proberts@patriot.net>
    Date: Mon, 6 Oct 2003 18:33:27 +0400
    
    

    We (Advascan.com) run a filter that checks actual content and mime type match.

    Hell, what a weird stuff do software developers put in mime headers!
    Even hardcoded typos
    (some software keeps sending content type x-mxexcel (sic!) and almost no
    one cares that vendor-specific content should go as vnd*).

    We don't give up this type of content filtering, though, because it
    seems to be highly effective when catching unknown worms and troyans.

    The proper way is to "fix" mime headers to make them matching the content
    and apply filtering policy then.

    On Sun, Oct 05, 2003 at 11:30:29AM -0400, Paul Robertson wrote:
    > On Sun, 5 Oct 2003, Mikael Olsson wrote:
    >
    > > *meep* everything microsoft ignores mime type. It looks at the
    > > extension first, and *then* at the mine type.
    >
    > Filtering products shouldn't. In case it wasn't clear, I was suggesting
    > gateway filtering at the application layer.
    >
    > > Hence, if you have microsoft boxen in your network, the only reliable
    > > solution is whitelisting; deny everything, then allow the cross
    > > section of allowed mime types AND file extensions. By cross section
    > > I mean that the mime type has to be good AS WELL AS the extension.
    >
    > If you're going that far, you'll want to nuke the mismatched MIME stuff
    > too.

                                         _ _ _ _ _ _ _
     {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_
     (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
     [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Christopher Hicks: "Re: [fw-wiz] Personal Firewall Day?"

    Relevant Pages

    • Re: Problems opening mail on this list
      ... it appears that Mailman does not do content filtering. ... It also has> pass rules (if filtering is enabled) for multipart/mixed, ... So I guess I should email the list admins and ask them to allow that mime type, since they are allowing signatures anyways on the list. ...
      (freebsd-questions)
    • Mime type not reported in log when access denied
      ... ISA's log file usually shows the MIME type of any files downloaded. ... working with content filtering I have found that ISA does not report the MIME ...
      (microsoft.public.isa)