On Fri, Oct 25, 2002 at 09:47:23AM -0400, Stephen Frost wrote:
> Eh, it depends on how you look at it, but... The cisco includes support
> for checking out high-level protocols, such as HTTP. Basically you can
So, your PIX is looking at the HTTP requests, and it is validating
them. Fine. Now what is the largest HTTP request that you're going
to allow? 1k? 10k? 100k?
The PIX is NOT filtering the size of the HTTP request. It will happily
allow a multimegabyte request to come through. Is that exploiting a bug
in your http server? You don't know. And the PIX doesn't help.
When I encountered a PIX, multimegabyte HTTP requests were valid, and
the PIX screwed them up. A slight thinko on the side of the PIX
programmers.
The PIX HTTP filtering may give you some extra controls (I hear you can
do URL based filtering.... Wow!). Don't you have that control on your
webserver?
Roger.
-- ** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2600998 ** *-- BitWizard writes Linux device drivers for any device you may have! --* * The Worlds Ecosystem is a stable system. Stable systems may experience * * excursions from the stable situation. We are currently in such an * * excursion: The stable situation does not include humans. *************** - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Oct 31 2002 - 22:00:31 EST