Michael, First of all fw-1 doesn't handle http statefully as http is not defined in a inspection script. http is defined as tcp port 80 as a URI service. This means that as long as you're not using http in conjunction with a resource it will allow *any* trafic to your host on port 80, http or not http. Using a http along with a resource invoces fw1's (transparant) http proxy which will verify that it's http that travels over the port (fw1 will otherwise send an http error message). Even if this will not stop all attacks on port 80, it will stop an intruder which succedes to install a trojan (like a telnet server (netcat -l)) on port 80 on your web server which is invoked based on source addresses. This will not stop attacks which only the http protocol, such as cgi scripts which gives the attacker access to any file on the system through http. Any host that accepts external connections, even if they are through the "safest" firewall should not be considered as safe. Such hosts should be placed in DMZ and you should pay close attention to security bulletins from the vendor(s) of the installed programs on the externally available host. You should also consider installing IDS software which will give you information on attackers trying to utilize attacks over http and other protocols. Lars -----Opprinnelig melding----- Fra: Michael B. Rash [mailto:[EMAIL PROTECTED]] Sendt: 5. august 2000 05:19 Til: FW1 mailinglist Emne: [FW1] stateful inspection and web vulnerabilities Suppose that I have a webserver on my internal network that is protected by CP FW-1, and I allow the internet to see it over port 80. Also, suppose that my webserver has a well known root-level vulnerability that is exploitable remotely via port 80, say Apache with a poorly configured cgi script. FW-1 boasts application layer security via stateful inspection, but should I expect that my webserver is safe? Are their any documents that describe in detail what application layer attacks are stopped by FW-1? I would expect that the webserver would still be vulnerable, and the only way the firewall could stop an exploit against the vulnerability would be for me to get my hands dirty with INSPECT code. In this case, how would FW-1 be acting as anything more than a dynamic packet filter? (Of course I should not be running such a vulnerable webserver in the first place, but for this discussion I am not interested in host-based security... just in FW-1). Thanks, --Mike Michael B. Rash http://www.math.umd.edu/~mbr ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
