Re: Hardware Firewall Recommendation
From: Leythos (void_at_nowhere.com)
Date: 06/18/04
- Next message: Benign Vanilla: "Re: DSL, Proxy and Recommendations"
- Previous message: Mike: "Re: "BAD" local ports"
- In reply to:(deleted message) Micheal Robert Zium: "Re: Hardware Firewall Recommendation"
- Next in thread: Micheal Robert Zium: "Re: Hardware Firewall Recommendation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Jun 2004 12:53:05 GMT
In article <77p4d0ha0ms0ca1hdhrrbfd2njugm59tdh@4ax.com>, mrozium@XSPAMX-
yahoo.com says...
> Leythos wrote:
>
> >look into the SMTP Proxy for filtering attachments on inbound email - it
> >will removed infectious attachments based on file extension (not
> >actually detecting a virus) which has kept every client from being hit
> >by any of the email viruses in the last 5 years.
>
> How did you manage Wallon.A? Just curious. I blocked the rds.yahoo
> addresses and had no problems. Logged several attempts from (l)users
> clicking on the e-mail links, but their interest died as the link
> timed out.
Here is a description (from Symantec) of how it works:
W32.Wallon.A@mm arrives as an email with a link in the message body. The
email uses an Internet Explorer vulnerability, described in Microsoft
Security Bulletin MS04-004, to display an obfuscated link. Clicking the
link redirects the user to a Web site to download "wmplayer.exe" into
the Windows Media Player folder. The Web site may attempt to exploit an
Outlook Express vulnerability, described in Microsoft Security Bulletin
MS04-013, to download and execute the file. Because the worm attempts to
overwrite the Windows Media Player executable, any attempts to run
Windows Media Player on an infected computer will execute a copy of the
worm.
Our users would have seen the email, since there was nothing but a link
to it in a site, most would have just deleted the email - we send out
messages every month about following links to things outside their
company that come in email.
For those that did select it, they would not have had a problem - we
don't allow .exe or other types through the HTTP proxy service in the
firewall.
The WatchGuard firewalls have a HTTP proxy service that lets me
deny/approve the following:
1) Settings:
Remove Client Connection Info
Remove Cookies
Deny Submissions
Deny Java Applets
Deny ActiveX Applets
Remove unknown headers
Log accounting/auditing information
Require content type
Idle timeout xxxxxx seconds
2) Safe Content:
Allow only safe content types
(you can add types based on mime specs)
Deny Unsafe Path Patterns
(add site paths you want to block, not sites)
3) Web Blocker - used to specify what content can be viewed
4) Web Blocker Schedule - enable/disable at programmed times
5) Web Blocker Operational Controls (what to filter when ON)
6) Web Blocker non-Operational Controls (what to filter when OFF)
7) WB Exceptions (permitted, denied) Add IP as needed
For SMTP I have two filters - one is the Firewall SMTP service and the
other is (depending on what email server they have, is to use Symantec
Small Business Edition with Exchange Filter).
WG SMTP Options includes some of the following:
INBOUND RULES
1) General
Idle Timeout (XXXXXX seconds)
Max Recipients (XXXX)
Maximum Size (xxxxxxx KB)
Line Length (xxxxx bytes)
Address Validation (RFC-822 Compliance)
Allow Characters (list of chars you permit in email addresses)
Allow 8-Bit characters
Allow Source-Routed Addresses
2) Content Types
Allow only safe content types
(specify permitted types)
Deny Attachments based on file name patterns
(you can specify any pattern, includes wildcards)
There are many more, but you get the idea from this set. With these two
rules (and I didn't show how I have them setup, sorry) We've been able
to block 100% of all virus's and worms to date.
> Also, I believe you manage multiple firewalls, so how do you push
> updates like that to them?
We've not had to update the firewalls, the rules, once in place, are
something that covers all of the problems that already come up. If you
block .EXE you never have to go back and update the firewall to keep
users from downloading and running .EXE over HTTP/HTTPS or SMTP.
One more thing that we do is set "Auto block sites that attempt to
connect to this service" and we set rules for ports 135, 139, and 445
for these auto-block sites. Just another way to make sure that infected
machines don't get past the firewall.
Most of our customers either installed Exchange 2000 or already had
Exchange servers, the SBE/Exchange filter from Symantec has done wonders
for those users - even without the firewall it includes RBL functions,
key word filters, subject and body word filtering, virus scanning,
attachment blocking, etc... Great product for Exchange.
-- -- spamfree999@rrohio.com (Remove 999 to reply to me)
- Next message: Benign Vanilla: "Re: DSL, Proxy and Recommendations"
- Previous message: Mike: "Re: "BAD" local ports"
- In reply to:(deleted message) Micheal Robert Zium: "Re: Hardware Firewall Recommendation"
- Next in thread: Micheal Robert Zium: "Re: Hardware Firewall Recommendation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
