Re: [fw-wiz] How automate firewall tests

From: George Capehart <capegeo@xxxxxxxxxxxxx>
Date: Sat, 02 Sep 2006 17:31:04 -0400

Jim Seymour wrote:

<snip>

There is a structured systems design book I have (I think that's the
one, anyway) that recommends input be conditioned as early in the data
flow as possible so it's done and over with, and you can not have to
worry about unconditioned data floating around in the system, being
(similarly) conditioned in multiple places (code redundancy), etc.
Similar concept.

Sorry about the late reply. Been buried on a project for a while.

While I agree in principle with the above sentiment, I think that there
is a significant caveat. The issue is data that traverses trust
boundaries. IMHO, the data should be conditioned, canonicalized,
scrubbed, etc. whenever it is received from a source that is not in the
same trust domain as the destination. Web* applications for instance.
I recently did an audit on a Web application in which the user was
allowed to enter some data into a form and POST it. On the way in, the
data was passed through the gamut of filters one would expect to find on
a well-designed Web application. Then the changes were sent back to the
browser for verification, passing through stringent output filtering.
The gotcha was that the changed data were sent out in form fields which
could easily be manipulated with one's choice of Web MITM package . . .
Tamper Data, Webscarab, Paros, etc. Only this time, the server did not
do any kind of checking on the returned data. Once again, the First
Commandment of input processing: "Do not trust the data unless it comes
from sources within the trust domain of the server . . . and then trust
but verify."

Here endeth the lesson.

/g

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Prev by Date: Re: [fw-wiz] How does your firewall handle DNS messages > 512 octets?
Next by Date: Re: [fw-wiz] How does your firewall handle DNS messages > 512 octets?
Previous by thread: Re: [fw-wiz] Possible to do torrents through firewalls and via a proxy?
Next by thread: Re: [fw-wiz] Not getting all our denied logs from Cisco FWSM
Index(es):
- Date
- Thread

Relevant Pages

Re: Trust requirements for TS License Server in a different domain
... Licensing Server needs to trust the domain containing the Terminal ... only thinking about the Terminal Server and the TS Licensing ... have to be in trust relationship with License Server Domain ...
(microsoft.public.windows.terminal_services)
Re: Not able to establish trust with another window 2003 domain
... The time of the two server is the same. ... MVP - Directory Services ... I had follow exactly the same that stated in your article but still fail. ... I try to remove the trust that created at my Source and re-create again. ...
(microsoft.public.windows.server.active_directory)
Re: OLAP and VPN / authentication / trust
... You need Network 2 to trust Network 1 users to access the resources on ... This is the essence of a "Trust Relationship". ... attempt to connect to a SQL server on Network2 using credentials like ...
(microsoft.public.sqlserver.olap)
Re: Trust Issues
... sharepoint and Project Server... ... I set a one way external trust between the great domain and one ... > since it is hard to determine if the VMWare image, ... These two systems are the virtual machine in VMware. ...
(microsoft.public.windows.server.general)
RE: Trust between two Forests Fail
... needed to match on both servers on both sides of the trust. ... Our server and their server did not match so we change Company A's server to ... Microsoft Technet “When to create a Forest Trust” a Forest trust fits our ... not running DNS under Windows Active Directory. ...
(microsoft.public.windows.server.active_directory)