Archive of UserLand's first discussion group, started October 5, 1998.
Analyzing protocols and file formats
Author: Ken MacLeod Posted: 5/6/2000; 11:00:54 AM Topic: scriptingNews outline for 5/5/2000 Msg #: 17079 (In response to 16956) Prev/Next: 17078 / 17080 File types that might be OK as email enclosures: HTML, GIF, JPEG, ZIP, WAVThis is probably a pretty accurate, if informal, analysis.
And that's the important part of it, and what a security person would do, an analysis must be made.
Going back to the c.s.firewalls FAQ, the security analysts' job is not just to assess the protocol or file format (the bits on the wire), but the way it's used and the applications that use it.
Taking HTTP for example you have to examine the browsers and your web servers too. Because HTTP is capable of transfering various file types, you have to examine the browsers and plug-ins that implement those file types. When protocols are tunneled through HTTP, you have to analyze them as individual protocols, and the contents they carry and the applications that use them.
HTTP and SMTP are typically passive protocols, they don't usually invoke special processing in the client or server. This makes analysis easier. HTML, GIF, JPEG, ZIP, WAV are also passive file formats. In both cases the analyst is mostly concerned with data-based attacks (stack overruns, for example).
Word and Excel documents, JavaScript (incl. in HTML), Java, and ActiveX are active file formats. Not only do the formats have to be analyzed (for data-based attacks) but also the environment and context where they are run. Significant measures must be taken to prevent attacks.
For security policies that start out as "block everything", proper implementation will generally dip into each protocol or file format and make sure that each portion only passes what is permitted. For security policies that start out as "allow everything", implementations will dip into each protocol when issues are discovered with particular formats or protocols.
There are responses to this message:
- Re: Analyzing protocols and file formats, Robert Cassidy, 5/6/2000; 2:02:15 PM
This page was archived on 6/13/2001; 4:55:07 PM.
© Copyright 1998-2001 UserLand Software, Inc.