lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: mfratto at nwc.com (Mike Fratto)
Subject: Sidewinder G2 Thanks and a question or two


> >Basically, version 4.1 failed to do actually do HTTP syntax checking
> making
> >the HTTP proxy a generic proxy in function. So all the HTTP protocol 
> >violation style attacks weren't blocked at all. Proved it using tools
> off
> >packetstorm. Told SCC about it and proved it to them as 
> well. Then they 
> >verified the problem and issued a patch some months later.
> >
> 
> This was VERY disturbing. Kind of makes Secure's claim look 
> pretty stupid. Tried it on any other boxes? Apparetntly 
> secure computing expected the web proxy to be in full use. 
> Fortunately, we are a small enough operation to do exactly that. 

I have tested this on subsequent versions and the problem has not resurface.
It was a bug that was corrected. I have also tested the HTTP, FTP, SMTP,
DNS, SQL*Net proxies for protocol violations, overlly long headers
(configurable in the proxy settings to some extent), proprely handling
dynamic protocls like ftp and SQL*Net and everything worked as advertised.
There are, of course, limitations in the proxies and won't stop all attacks,
but I am pretty confident that it will block attacks passing through the
firewall that violate the protocol.

>They seem very confident about 
> the integrity of their jails and told me I had nothing to 
> worry about even if a hacker broke into a root shell in one 
> of them. I am not convinced that this would be, to quote the 
> late great Douglas Addams, "mostly harmless".

If you want to get a look at type-enforcement, grab a copy of SE linux
http://www.nsa.gov/selinux/. Secure computing secos is the foundation of it.


Powered by blists - more mailing lists