RE: The old question...

From: Royer, Cedric (Cedric.Royer@getronics.com)
Date: 09/27/01 

Message-ID: <2C7AADF28639254C935BB2C202465AA901C7CDCA@excbebr300.europe.unity>
From: "Royer, Cedric" <Cedric.Royer@getronics.com>
To: 'Matt Collins' <matt@clues.com>
Subject: RE: The old question...
Date: Thu, 27 Sep 2001 09:54:52 +0200

I don't exactly understand what you are looking, but I know there is a
product from Ubizen, multisecure shield, which filters all http traffic. It
is an appliance on a stripped solaris.
Basically it lets through all 'normal' traffic and behaviour, but blocks
other behaviour which is not related to 'normal surfing use'. So webservers
are safe behind such a wall on http-level. For secure transactions they
have other solutions.
for more info I suggest you go to www.ubizen.com...

kind regards,
Cédric Royer

-----Original Message-----
From: Matt Collins [mailto:matt@clues.com]
Sent: woensdag 26 september 2001 13:05
To: focus-ids@securityfocus.com
Subject: The old question...

I know this one bugs a lot of people, but I'm going to ask it again
anyway.... Its sort of a hybrid audit/analysis/IDS/enforcement
issue...

I work as in security for some fairly major companies and recently
we've been seeing more and more concern over the web; its becoming
business critical to those who generate revenue, and as a result
what have previously been carefully controlled border networks are
moving towards policies that permit any outbound web traffic. This
in itself has many issues with increasing attack vectors via the
actual HTML content delivered itself, but even more unmanagable
than that risk is the use of tunneled protocols.

We're seeing more and more "freeware" or even commercial applications
delivered that tunnel application streams over HTTP POST and SSL
(CONNECT) proxy connections, amongst other mechanisms, and thats
not counting the truly covert stuff that pretends to be FTP data
and so forth.

We've got some ideas on how to address this - traffic analysis at
the firewalls and proxies, session time, data flow patterns, etc
- but I'd like to know if anybody has already set up forumns for
discussing this sort of thing and developing solutions, or perhaps
even already created the wheel (in commercial form or otherwise).

Its a real issue; very liberal multi usage protocols such as the
HTTP specification that we pretty much have to permit through the
border at some points (wheras we can just deny most other stuff) on a
wide basis.

Any ideas? Any solutions? Any discussions or development
efforts we can contribute to?

Matt