[fw-wiz] IPS Content filtering techniques


We use since a long time ago IPS technique in filtering inbound traffic and do it by content inspection. However, we have noticed increasing rejections of certain traffic due to dirty reply packet content and will consider ways to issue automated notifications to certain actors on the Internet about weakness in their presence.

The "dirty" traffic is generated by sites issuing HTTP redirect commands (HTTP code 302). However, content filtering these packets do not work well in certail cases due to improperly formatted HTTP packets. A possibility to define a rule set would be:

a) accept packets with missing Content-Type and Content-Length: 0 (conforms with RFC 2616 chapt 7.2.1). Not all IPS systems are capable to handle such packets as desired, but Content-Type doesn't need to be investigated in this case. We are trying to create rules for this situation in Microsoft ISA server.

b) automatically notify in some way the originating site about malformatted HTTP packets in the situation when Content-Type is missing and the Content-Length is a positive number. Does such a implementation exists for the Microsoft ISA server and how should the notification recipient be identified automatically?

c) Also, unknown/private Content-Type settings can be investigated and pointed out automatically to the provider for correction when they cannot be identified to be properly defined. Beside the IANA list there are also possibilities to identify relatively common "well-known" private values.

Of course we do not want the IPS to "guess" the proper settings as Web readers do by obvious security reasons although this possibility exists according to RFC 2616 (obviously a possibility intended for Web readers, not security tools).

I would appreciate any comments in this matter!

Best regards

Axel Skough
Research & Development
Information Technology
Statistics Sweden
Box 24300
SE-10451 Stockholm

Visitor's address:
Karlavägen 100, Stockholm, Sweden

E-mail: axel.skough@xxxxxx
Fax: +46 8 5069 4599
SMS: +46 70 577 1727

No rights may be derived from the contents of this e-mail message.

The information in this e-mail message is intended only for the addressee. Statistics Sweden cannot vouch for the correctness and completeness of the contents of e-mail messages, nor for the timely receipt thereof.
firewall-wizards mailing list