-----Original Message-----
From: Luke, Jason (ISS Southfield) [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 07, 2001 5:25 PM
To: 'METE EMINAGAOGLU (IT)'; [EMAIL PROTECTED]
Subject: RE: [FW1] Code Red: What security specialist don't mention in war ningsI bet that if you ever try this rule, you will also discover why it is not a good idea. The HTTP security server does not work very well and when you put that rule in, it will probably be fine for a good 30 seconds, and then your CPU % will skyrocket to 100% and stay there. Analysis will reveal that the in.ahttpd process is the culprit. You are correct in that this technique is very effective at blocking that string. While I can't say for certain that the firewall performance was impacted when I had the CPU at 100%, I would rather not take the chance.In my situation we had (Not LocalNets) -> DMZ web servers ->http_resource Drop.The only time it would not peg was when we had only one webserver in the destination. Two webservers or more would peg it.-----Original Message-----
From: METE EMINAGAOGLU (IT) [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 06, 2001 9:22 AM
To: 'Carl E. Mankinen'; Wolfgang Kueter; [EMAIL PROTECTED]
Subject: RE: [FW1] Code Red: What security specialist don't mention in war ningsHi to all....
>>Patching IIS,
>>Dropping all outgoing packets from IIS Servers in the DMZ,
>>Using any alternative Web Server to IIS...
These are all good solutions....
But lem'me ask u sthg:
Why don't u use CP FW' s security server? (Checking with resource...)
For example, if Code Red is the case,
Why don't u put a rule above all the http-related rules such as;
Source Dest. Service Action
Any Any http->with resource DropAnd the http->with resource service will be defined as a New Resource ---- URI;
URI:
Connection Methods:Transparent, Proxy (perhaps not so nec. but doesn't give any headache at least...)
Schemes: http (only this will be enough..)
Methods: all (so as to guarantee...)
Host:*
Path:{*/default.ida?*}
Query:*Save everythg, and install....
It should be noted that since mostly *.ida is useless, this rule presumably shouldn't harm any Web-Server-based applications...
Title: RE: [FW1] Code Red: What security specialist don't mention in warnings
No
sir, you' re absolutely wrong or missing s.thg.
I' m
using that rule for about two weeks, and also such similar rules (not only http,
but also smtp-resource, etc...) for a long time. Alas! No CPU bottleneck, or
other performance problems, no pegging' , etc.. Oh by the way, The FW module is
on Nokia IP650.
I
always preach what I practice!.............
- RE: [FW1] Code Red: What security specialist ... Luke, Jason (ISS Southfield)
- RE: [FW1] Code Red: What security specia... METE EMINAGAOGLU (IT)
- RE: [FW1] Code Red: What security specia... Luke, Jason (ISS Southfield)
- RE: [FW1] Code Red: What security sp... Ed Davidson
- RE: [FW1] Code Red: What security specia... METE EMINAGAOGLU (IT)
- RE: [FW1] Code Red: What security specia... T . Higgins
- Re: [FW1] Code Red: What security sp... LEFEVRE David
