From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: Query: Can Netfilter inspect xml soap traffic
Date: Tue, 25 Mar 2008 12:33:22 -0500 [thread overview]
Message-ID: <47E93762.4040107@riverviewtech.net> (raw)
In-Reply-To: <47E93099.9010602@tssg.org>
On 03/25/08 12:04, william fitzgerald wrote:
> Thus, the ideal firewall configuration is one that is aligned with the
> application supported by the system, that is, it permits valid
> application traffic, and, preferably, no more and no less.
Not directly related to your question(s), but still appropriate.
I would like to see developers write their applications with
documentation (be it auto generated or not) that indicates what type of
traffic (and parameters there on) they expect to see and need to
function correctly. I'd like to then take said documentation and use it
to build rules for a simple ALG that will pass any valid requests in to
the back end application while correctly handling erroneous traffic. I
think said ALGs could easily function as a proxy with some simple rules
as to what is and is not allowed to pass through the ALG.
The next step is to educate the ALG about traffic flow from resource to
resource (read: page to page) and define how to handle improper traffic
flow. If someone tries to jump further in, should we go to an error
page, or should we send them back to the start page?
I think these types of ALGs would significantly reduce the security
problems with these types of applications. Or at least if there was an
SQL injection vulnerability in a given back end, it could be filtered by
an ALG by simply checking for valid characters in a particular object
property. The ALG could either scrub (remove) the object property or it
could fall back to an errant condition and redirect elsewhere, or it
could conditionally do both depending on the previous history of the
client. Say for example if you or I accidentally enter an inappropriate
character in a string and get redirected back to the form to correct the
error verses an SQL injection script trying different things against the
page.
These are the types of things that ALGs can do that is very difficult to
implement in the back end code.
Grant. . . .
next prev parent reply other threads:[~2008-03-25 17:33 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-25 15:01 Query: Can Netfilter inspect xml soap traffic william fitzgerald
2008-03-25 16:42 ` Grant Taylor
2008-03-25 17:04 ` william fitzgerald
2008-03-25 17:25 ` Grant Taylor
2008-03-25 17:33 ` Grant Taylor [this message]
2008-03-25 17:35 ` Grant Taylor
2008-03-25 19:56 ` Benny Amorsen
2008-03-25 20:13 ` Grant Taylor
2008-03-26 16:39 ` william fitzgerald
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47E93762.4040107@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox