[Sidewinder] Protocol violations

Wed Nov 4 14:12:02 EST 2009

There are several levels of reduced enforcement you can set.  I have several rules set up on my firewalls with a different source group for each one with different settings.  I should qualify my comments by noting that I only have version 7 firewalls now.  I started with Sidewinders when the G2 (version 6.0) had just been released.

The first level I try is using the "Relax protocol enforcements" check box in an HTTP App Defense.  That's my first try.  If that doesn't get it, I go the next step, which is to leave Relaxed enforcement on, and also move the Inspection "lever" from Full to the middle setting in the rule definition.  According to the note for this setting, "The security-context 'filtering' aspects of the application defense are not enforced.  Application layer data is examined to the minimum degree necessary to perform 'proxy' activities as defined by said protocol."  My final proxy-based attempt to bypass broken sites is to use another rule to turn that lever all the way to None.  This setting states, "No settings in the application defense are enforced.  Behaves like a transparent layer relay."  This still allows some improved security over a packet filter.  The final thing to do is what you were doing:  use a packet filter rule.

This level of pickiness is more of a hassle, but to me it's worth it in using the best security possible to allow the trusted site to work.

--------------------
Matthew Harrell
CSO
Plex Systems
mhar at plex.com
________________________________________
From: sidewinder-bounces at adeptech.com [sidewinder-bounces at adeptech.com] On Behalf Of Sidewinder moderated discussion list [sidewinder at adeptech.com]
Sent: Wednesday, November 04, 2009 1:01 PM
To: sidewinder at adeptech.com
Subject: Re: [Sidewinder] Protocol violations

Well the"Relax protocol enforcements" did help reduce a lot of the noise but
it still doesn't allow some of the traffic we've had actual problems with
(for example "multipart/mimetype has invalid separator string" violations
actually prevent users from uploading content to necessary websites).  I
guess I'll stick with the whitelist approach for now in the hopes that some
type of finer-grained control will come in the future.

Thanks again for the suggestion.

Jason

On Wed, Nov 4, 2009 at 11:01 AM, Jason Podhorez <jpodhorez at gmail.com> wrote:

> Yes, I think that's exactly what I'm looking for (weird that support knew
> exactly what I was talking about but didn't suggest this to fix it).  I'll
> try it and see if it works.  Thanks!
>
>
> On Wed, Nov 4, 2009 at 10:50 AM, Sidewinder moderated discussion list <
> sidewinder at adeptech.com> wrote:
>
>> At least in V6, the only place is in the Application Defenses ("Web" by
>> default) -- and all it allows which side you relax enforcement for (Client
>> or Server).
>>
>> (... and don't call me Shirley ...  ;^) )
>>
>> > After my initial post it also occurred to me that Microsoft ISA Server
>> >(software firewall) as early as 2004 had the ability to specify which
>> parts
>> >of protocol RFCs to enforce/ignore.  Surely there must be a way to dial
>> it
>> >down if we don't have the need to enforce certain aspects.
>> _______________________________________________
>> Sidewinder mailing list
>> Sidewinder at adeptech.com
>> http://mail.adeptech.com/mailman/listinfo/sidewinder
>>
>
>
_______________________________________________
Sidewinder mailing list
Sidewinder at adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder