Re: Norton Internet Security 2003 blacklist fault?

From: Sym Security (symsecurity_at_SYMANTEC.COM)
Date: 09/10/03

  • Next message: Marc Maiffret: "EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II"
  • Next message: L-Soft list server at LISTSERV.NTBUGTRAQ.COM (1.8e): "Message ("NTBugtraq is a moderated mailing list. This means...")" 
    Date:         Wed, 10 Sep 2003 15:54:27 -0600
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Norton Internet Security conducts DNS lookups the first time that a
    specific firewall rule is evaluated. DNS resolutions are handled
    through
    an internal cache of DNS names, so resolution depends on the system
    having
    resolved the address in the past.

    We are investigating ways to periodically update DNS resolutions to
    keep
    them up to date and hope to add this functionality in a future
    release.

    For issue #2, if the user creates a rule to block <somecompany>.com,
    news.<somecompany>.com will not be blocked because it is a different
    computer than <somecompany>.com -- blocking the IP of one computer
    doesn't
    block the IP of a different computer, even if they have the same
    suffix.

    Greg Lawton wrote:
    > Hello, all. First time poster on this list - so be gentle!
    >
    > I was going to post this in a Symantec newsgroup first, and give
    > them a chance to respond - but I took one look at the hundreds of
    > groups that they run...
    >
    > Basically, Norton Internet Security (tested with the current 2003
    > version) has, like any other firewall, an ability to stop access to
    > a given site depending on a firewall rule.
    >
    > I have discovered that when you enter a rule to block a specific
    > site, the software does a regular lookup for the sites IP address
    > at the time you enter the rule. (So it can't add sites while you're
    > off line - it has to be able to talk to your DNS server). That IP
    > address is used as the blacklist target.
    >
    > Several worrying problems with this :-
    >
    > 1) If the blocked site then changes IP address, it's not caught.
    > The ruleset will give the name of the site you think it's blocking,
    > but it doesn't know it's moved. Since the block runs on IP
    > addresses, that site is free to be accessed again. 2) Because large
    > sites have multiple subdomains, such as www.bbc.co.uk,
    > news.bbc.co.uk, this means that just entering bbc.co.uk (don't know
    > why you'd want to ban the fine BBC, but it's an example) won't
    > block news.bbc.co.uk.
    >
    > Basically, it doesn't block on matching the URL typed with the
    > ruleset, it blocks on a blacklist of IP addresses resolved at the
    > time each site was added.
    >
    > What do you all think?
    >
    >
    > oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    > ooooooo
    >o Whatever Happened to Octopus?
    >
    > LEGATO RepliStor, formerly known as Octopus, delivers breakthrough
    > replication performance that's 5X faster than the competition in an
    > independent head-to-head test. Learn how RepliStor uses patented,
    > asynchronous, real-time replication, to deliver disaster recovery,
    > data distribution and consolidated backups. It is the first
    > replication solution to achieve Windows 2003 certification. Get the
    > performance report now.
    >
    > http://portal1.legato.com/products/replistor/upgrade.cfm
    >
    >
    > oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    > ooooooo
    >o

    - - --
    - - ---------------------------------------
    Sym Security
    Symantec Corporation

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0

    iQA/AwUBP1+fqBMwEkwA14VxEQL29gCgk6WMPoTyA9QHjUnSpM/IqG5sRC0AoPI6
    TTLANmMegXWi2EVEQsaIp4Ey
    =YcO9
    -----END PGP SIGNATURE----- 

    ----
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available.  And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
----
  • Next message: Marc Maiffret: "EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II"
  • Next message: L-Soft list server at LISTSERV.NTBUGTRAQ.COM (1.8e): "Message ("NTBugtraq is a moderated mailing list. This means...")"

    Relevant Pages

    • Re: Which Domain Controller is doing the authenticating?
      ... the first time I've eluded to it this way is I'm dealing with a Hodge-podge ... The real issue is "people" it's not the machines, it's not the technology. ... > As mentioned -- clients use DNS to find domain controllers. ... >> by the slower DC than there is an appearance that there is a problem and ...
      (microsoft.public.windows.server.networking)
    • Re: Slow initial local logon to Win2000 server
      ... apparently only the first time I log in that boot. ... Computer Name: SERVER ... DNS Host Name: server.pcproscs.local ... List of NetBt transports currently bound to the Redir ...
      (microsoft.public.windows.server.active_directory)
    • DNS name on certification can cause SSL failure?
      ... Trading partner had a SSL failure. ... I gave them new certification. ... system IP is 203.254.192.1xx and it doesn't have DNS name. ... An error occurred in BizTalk Server. ...
      (microsoft.public.biztalk.server)
    • Re: Urgent 4.9 networking problems
      ... Are you sure all your problems aren't caused by DNS delays? ... which should avoid the delay. ... today is the first time I tried to access through the specific ... To unsubscribe, ...
      (freebsd-questions)
    • Re: resolv.conf
      ... I'm new to FreeBSD, and this is the first time I configure a FreeBSD box. ... DNS IP to the rl0 IP. ... prepend entry for each server you want to answer your dns requests. ...
      (freebsd-questions)