HTTP Components and MS-Windows Defense Method
Attackers might use HTTP to send ActiveX controls,
Java applets, .zip files, or .exe files to a target system, enabling
them to load and control applications on hosts in a protected network.
You can configure the security device to block the components (the
device monitors incoming HTTP headers for blocked content types) as
described in Table 1.
Table 1: HTTP Components
HTTP Components
|
Description
|
Java
|
Java applets enable Web pages to interact with other
programs. The applet runs by downloading itself to the Java Virtual
Machine (VM) on a target system. Because attackers can program Java
applets to operate outside the VM you might want to block them from
passing through the security device.
|
ActiveX
|
Microsoft’s ActiveX enables different programs
to interact with each other and might contain Java applets, .exe files,
or .zip files. Web designers use ActiveX to create dynamic and interactive
Web pages that function similarly across different operating systems
and platforms. However, attackers might use ActiveX to gain control
over a target computer system. When blocking ActiveX components, the
security device also blocks Java applets, .exe files, and .zip files
whether they are contained within an ActiveX control or not.
|
ZIP files
|
Files with .zip extensions contain one or more compressed
files, some of which might be .exe files or other potentially malicious
files. You can configure the security device to block all .zip files
from passing through the zone.
|
EXE files
|
Files with .exe extensions might contain malicious code.
You can configure the security device to block all .exe files from
passing through the zone.
|
MS-Windows Defense
Microsoft Windows contains the WinNuke vulnerability,
which can be exploited using a DoS attack targeting any computer on
the Internet running Microsoft Windows. Attackers can send a TCP segment
(usually to NetBIOS port 139 with the urgent (URG) flag set to a host
with an established connection; this packet causes a NetBIOS fragment
overlap that can crash Windows systems.
To protect targets in the security zone from WinNuke
attacks, configure the security device to scan incoming Microsoft
NetBIOS session service (port 139) packets for set URG flags. If such
a packet is detected, the security device unsets the URG flag, clears
the URG pointer, forwards the modified packet, and generates a log
entry for the event.
Published: 2009-08-20
