Re: Norton Internet Security 2003 blacklist fault?
From: Jannie Hanekom (j_hanekom_at_HOTMAIL.COM)
Date: 09/04/03
- Previous message: Diethorn, Robert - MBDC: "New IIS security hole?"
- Maybe in reply to: Greg Lawton: "Norton Internet Security 2003 blacklist fault?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 4 Sep 2003 18:17:44 +0100 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Implementing host name blocking, while sounding fairly straight-forward, is
actually quite complex. The key issue is that one simple way of
circumventing this type of blocking is to simply type the IP address of the
site - a product won't sell if it's that easy to get around it. I believe
that this is why Internet Security is not sold as a being able to do that.
(Or, I should hope not.)
Some relevant points:
* There is no way to get a list of all IP addresses "associated" with a
domain. There is no association between a block of IP addresses and a
domain name; that's the beauty of DNS and its reason for existence.
shop.example.net might point to the corporate e-commerce server in the UK,
while www.example.net might point to the web hosting company somewhere in
the US with an entirely different IP address range.
* There are competing products (SurfControl, Websense, etc) costing many
thousands of dollars that sells you frequently updated lists (at many
thousands of dollars) that contain categories of sites and their associated
IP addresses. These lists are expensive to maintain and as a result too
expensive to include for free in a "home user" product.
* The "home user" products that do do this type of blocking, typically do a
type of content block by looking for certain keywords on web pages or sites
which specify their content as "adult" (I believe - I'm not entirely sure
how the likes of NetNanny and CyberSitter works)
* You could create a "hack" solution by entering bogus entries in your
"hosts" file or running your own DNS server and creating "bogus" zones for
the domains you would like to block. This still won't prevent someone from
entering the IP address and circumventing things, though, but would make it
a bit more difficult to get the IP address.
I'm hoping that explains part of the reasons why Norton Internet Security
(and similar products) are "lazy" in that regard... I do agree that a
feature to refresh a host's addresses on, say, a weekly basis by doing a
simple NSLookup on your behalf would be a great addition to the product.
You won't get Symantec to add this as a bug fix, though - your best recourse
is probably to submit a feature request and convince others to request the
same thing.
Jannie
-----Original Message-----
From: Greg Lawton [mailto:gjl@PENACASATA.DEMON.CO.UK]
Sent: 22 August 2003 21:12
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Norton Internet Security 2003 blacklist fault?
Hello, all. First time poster on this list - so be gentle!
I was going to post this in a Symantec newsgroup first, and give them a
chance to respond - but I took one look at the hundreds of groups that they
run...
Basically, Norton Internet Security (tested with the current 2003
version) has, like any other firewall, an ability to stop access to a given
site depending on a firewall rule.
I have discovered that when you enter a rule to block a specific site, the
software does a regular lookup for the sites IP address at the time you
enter the rule. (So it can't add sites while you're off line - it has to be
able to talk to your DNS server). That IP address is used as the blacklist
target.
Several worrying problems with this :-
1) If the blocked site then changes IP address, it's not caught. The ruleset
will give the name of the site you think it's blocking, but it doesn't know
it's moved. Since the block runs on IP addresses, that site is free to be
accessed again.
2) Because large sites have multiple subdomains, such as www.bbc.co.uk,
news.bbc.co.uk, this means that just entering bbc.co.uk (don't know why
you'd want to ban the fine BBC, but it's an example) won't block
news.bbc.co.uk.
Basically, it doesn't block on matching the URL typed with the ruleset, it
blocks on a blacklist of IP addresses resolved at the time each site was
added.
What do you all think?
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Whatever Happened to Octopus?
LEGATO RepliStor, formerly known as Octopus, delivers breakthrough
replication performance that's 5X faster than the competition in an
independent head-to-head test. Learn how RepliStor uses patented,
asynchronous, real-time replication, to deliver disaster recovery, data
distribution and consolidated backups. It is the first replication solution
to achieve Windows 2003 certification. Get the performance report now.
http://portal1.legato.com/products/replistor/upgrade.cfm
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
-ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Whatever Happened to Octopus?
LEGATO RepliStor, formerly known as Octopus, delivers breakthrough
replication performance that's 5X faster than the competition in an
independent head-to-head test. Learn how RepliStor uses patented,
asynchronous, real-time replication, to deliver disaster recovery, data
distribution and consolidated backups. It is the first replication solution
to achieve Windows 2003 certification. Get the performance report now.
http://portal1.legato.com/products/replistor/upgrade.cfm
-ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Diethorn, Robert - MBDC: "New IIS security hole?"
- Maybe in reply to: Greg Lawton: "Norton Internet Security 2003 blacklist fault?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
