HTTP Proxy Outgoing Proxy Action

How do I customize the HTTP proxy for outgoing connections?Fireware/HTTP Proxy

This document applies to:

Appliance Firebox X Core / Firebox X Core e-Series / Firebox X Peak / Firebox X Peak e-Series

Appliance Software versions FIreware 8.3 / Fireware Pro 8.3

Management Software versions WatchGuard System Manager 8.3

Introduction

HTTP (Hypertext Transfer Protocol) is the primary protocol used to send and display files (text, graphic images, sound, video, and other multimedia files) on the Internet. HTTP introduces many security risks because of unpatched client operating systems and browsers, and misconfigured and unpatched servers. And, because HTTP is universal, everyone uses it. The HTTP proxy in Fireware is a powerful content filter that examines HTTP traffic to identify and block suspicious content. The HTTP proxy also works with optional Fireware services (WebBlocker, Gateway AntiVirus, and signature-based Intrusion Prevention Service).It is easy to customize the HTTP proxy to your needs. You can configure it to:

• Allow only content that matches RFC specifications to act as a buffer between your web server and potentially harmful web clients.

• Restrict the content the Firebox allows into your network, based upon a fully qualified domain name, path name, file name, or extension as it appears in the URL.

• Examine HTTP headers to block unknown headers.

• Restrict the content the Firebox allows into your network based upon MIME type.

• Do a pattern match against the file header to block downloads of any file type, including client-side executable files such as Java; ActiveX; and Windows DLL, CAB, and executable files.

• Allow cookies only from domains you specify or that match patterns you specify.The HTTP proxy operates between the sending web server and your receiving web client. It processes the HTTP pro-tocol line-by-line for any potentially harmful content before it sends it to an internal web client.

What is a Proxy Action?

A Proxy Action is a set of rules that tell the Firebox how to apply one of its proxies to traffic of a specific type. An HTTP Proxy Action tells the Firebox how to apply the HTTP proxy to HTTP traffic. One HTTP Proxy Action can be very differ-ent from another HTTP Proxy Action. Some of the differences can be different options selected or not selected, dif-ferent patterns that each one looks for, and different types of content and headers that are allowed or denied.

How does the Firebox know which Proxy Action to use?Traffic over a certain port is processed by a firewall policy if the policy controls that port, and if the source and desti-nation IP addresses for the traffic flow match the From and To fields in the policy. You assign a Proxy Action to a proxy policy so that the Firebox knows how to apply the appropriate proxy for that type of traffic.Policy Manager can have more than one policy for web traffic. A very basic example is this: one HTTP policy controls HTTP traffic from a group of users with fewer privileges. This policy has the IP addresses of the less-privileged users’ computers in the From field. A second policy controls traffic from a more privileged group. The second policy has

1

How do I customize the HTTP proxy for outgoing connections?

the privileged users’ IP addresses in the From field. You assign one HTTP Proxy Action to the first policy and a differ-ent HTTP Proxy Action to the second policy. The Proxy Action you assign to the policy for the less privileged users has strict rules, designed to block more URLs and more content than the Proxy Action you apply to the policy for the more privileged users. You can create many Proxy Actions and use only some of them at a given time.

Predefined HTTP Proxy ActionsTwo predefined HTTP Proxy Actions are included with the product. To see them, from Policy Manager, select Setup > Actions > Proxies:

The Proxy Actions window shows a list of all the predefined Proxy Actions in blue text. Any other Proxy Actions that you create would appear in black text.

The HTTP-Client and HTTP-Server Proxy Actions have the same categories and options available. The difference between them is the default settings used in each one:

• HTTP-Client protects the HTTP clients behind your Firebox. The defaults in this Proxy Action give a basic level of protection for users on your trusted and optional networks as they browse the web.

• HTTP-Server protects the HTTP servers behind your Firebox. By default, it allows most HTTP connections through to your public web server, but stops any attempts to put files on or delete files from your web server.

2


NoteThis FAQ shows you how to customize the HTTP Client ruleset. It does not tell you how to customize the HTTP Server ruleset to protect a web server behind your Firebox.

Creating a Proxy ActionBecause you cannot make changes to the predefined Proxy Actions, you will rarely use them directly. However, you can use the Clone button to make a copy of an existing Proxy Action. You can use this copy as a template to start a new Proxy Action that you can customize for your organization.To copy an existing Proxy Action, select the predefined HTTP-Client Proxy Action and click the Clone button.

Assigning a Proxy Action to a policyTo tell the Firebox to use a Proxy Action to examine traffic, you must associate the Proxy Action to a policy. You do this on the Properties tab of a policy.

Ruleset Categories

There are 14 ruleset categories in the HTTP-Client Proxy Action. Each category is discussed in detail in the following sections.The categories and their functions are the same for both HTTP-Client and HTTP-Server Proxy Actions, but the default rules are different. These rulesets are shown in the Categories list to the left of the HTTP Proxy Configuration dialog box.

Request rules and Response rulesIn the first part of the HTTP Request/Response model, the client sends an HTTP request to the server. Because the request occurs first, the HTTP Request categories are the first line of defense that the proxy gives to the users behind your Firebox. The HTTP proxy has five categories of rules that tell the proxy how to process requests from clients.

3


There are also five categories for HTTP Responses. These categories tell the proxy how to handle responses from serv-ers.

HTTP Request — General Settings

Use these rules to control general HTTP parameters such as idle time-out, maximum URL length, range requests, and an important logging rule.

Idle timeoutThis setting closes the TCP socket used for an HTTP session after the specified amount of time has passed since the last packet that used the TCP socket. Because every open TCP session uses a small amount of memory on the Firebox, and because browsers and servers do not always close HTTP sessions cleanly, this option is used to control perfor-mance.

Recommendation:Keep this setting enabled to make sure that stale TCP connections are closed. This helps the Firebox save memory. You can lower the timeout to five minutes without problems.

URL lengthSets the maximum number of characters allowed in a URL. In this area of the proxy, “URL” includes anything in the web address after the top-level-domain, including the slash character, but not including the host name (the www.domain.com or the domain.com part of the web address). For example, the URL www.watchguard.com/prod-ucts counts nine characters toward this limit because /products has nine characters.The default value of 2048 is usually enough for any URL requested by a computer behind your Firebox. A URL that is very long can indicate an attempt to compromise a web server.

Recommendation:Because it is possible you can have infected web clients on the networks protected by the HTTP proxy, leave this setting enabled, with the default settings, to prevent attacks coming from your network.

Range requestsA range request is sometimes called a Partial GET. When a client wants a file from a web server, it can make a request for only a part of the file instead of the whole file. To do this, the client sends a Content-Range header with the HTTP request. There are two primary reasons why a client would do this:

• The client started to download a file but the download was interrupted for some reason. Usually when this happens the client has the partially downloaded file in a temp file in its local cache. To retrieve the rest of the file, the client issues a range request for only the part of the file it does not have, instead of downloading the entire file again.

• The client does not need the entire file.

4


Range requests introduce security risks. Malicious content can hide anywhere in a file and a range request makes it possible for any content to be split across range boundaries. The proxy can fail to see a pattern it is looking for when the file spans two GET operations.You can use the check box in this section to allow or deny range requests. If you have a subscription for Gateway Anti-Virus (GAV) or the signature-based Intrusion Prevention System (IPS), and you enable either of those security services, Fireware denies range requests regardless of whether this check box is selected.

Recommendation:Keep this check box cleared if the rules you make in the Body Content Types section of the proxy are designed to identify byte signatures deep in a file instead of just in the file header.

Summary log messageThe Send a log message with summary information for each transaction check box makes Fireware send a log message for every HTTP request, and another log message whenever a connection closes. The second log message gives the total bytes transferred in the HTTP transaction. This check box affects what information the Historical Reports application can put into a report you run. Select this box if you want the reports you run to include information about HTTP traffic. If you do not select this box, the HTTP Detail and HTTP Summary sections of your Historical Report will be blank.

NoteThis option creates a large number of log messages.

HTTP Request — Request Methods

Similar to a command, an HTTP method is the type of action that the sender wants the receiver to respond to. Fire-ware supports all the methods defined in RFC 2616 except one.

OPTIONSWith this method, the client requests information about the types of communications and methods it can use with a resource on the server or with the server itself. This method introduces no security threats.

Recommendation:It is safe to allow this method in an HTTP Proxy Action you use to protect clients.

GETThis is the method for retrieving resources from a web server.

Recommendation:You must allow the GET method for HTTP to work.

HEADThis method is very similar to the GET method except that HEAD method requests only HTTP headers, not body enti-ties. A client often uses this method to discover if a resource is available, if it was recently modified, or the size of an entity.

Recommendation:Allow this method for HTTP to work.

POSTA client uses this method to transfer user data to the server. In the POST request method, the data included after the POST method is always interpreted by the server in the context of some resource that already exists on the server. Examples include making a post to a news group, submitting data to a data-handling process on the server, or adding a new record to a database.

Recommendation:The purpose of your HTTP Proxy Action will dictate if you allow this method. If you do not want clients to post any data to the server, configure the Proxy Action to not allow the POST method. This method generally does not introduce security risks. If you do not allow it, clients are not able to fill out forms on web sites.

5


PUTThe PUT method is similar to the POST method, but the data transferred to the server is treated as an independent entity. The server does not attempt to apply the request to any other resource or change the enclosed entity in any way. Most web servers do not allow the PUT method because of the security problems it introduces when a remote client can store files on the server.

Recommendation:There is no risk to the client when it uses the PUT method. However, if you allow the PUT method, it is possible for a client to attempt a transfer of any data to the server. That includes sensitive information you may not want to go out to the Internet.

DELETEThis method lets a client send a request that the server delete an entity on the server. Most servers do not allow this method because of the security problems it introduces when a remote client can delete files on the server.

Recommendation:There is no risk to the client when it uses the DELETE method. You can safely allow clients to use it, but servers usually do not allow it.

TRACEThis method is used only for debugging and diagnostics. It causes the server to send the exact message it received (including all HTTP headers and cookies) back to the client. This introduces a known security risk.There are many cross-domain browser vulnerabilities that can cause a client to get data from or send information to a third-party domain. When a malicious web site accepts the TRACE method from a client and exploits a cross-domain browser vulnerability at the same time, sensitive information can be exposed to the server by way of the data path between the client and a third-party domain. This called a cross-site tracing attack.

Recommendation: The TRACE method is not allowed by default and you should not add it as an allowed method. The only exception is if you control both the client and the server, you are performing diagnostics for a short time, and you remove TRACE from the allowed methods when you finish the diagnostics.

CONNECTThe CONNECT method is not defined in the HTTP 1.1 specification.When a server accepts and processes the CONNECT method from a client, the server keeps the connection to the cli-ent and makes a second connection to another server that the client specifies, over some TCP port that the client specifies. After the CONNECT method is processed, the first server acts as a blind proxy (or forwarding agent) between the client and the other server. The server that receives the initial connection from the client simply trans-fers all packets it gets from the client to the other server, in a totally transparent manner, without regard to any con-tent that it passes to the other endpoint. Responses that come from the other server are forwarded to the client in the same way. The client can request that the tunneled connection to the other server is over any TCP port, not just 80 or 443.

Recommendation: Because the CONNECT method is not defined in the HTTP 1.1 specification, it is not supported. Although you can add CONNECT to the list of methods, the proxy generates a parsing error when it sees the request line. In the log message below, a client behind the Firebox configured the browser to use a publicly available proxy server for SSL, specifying port 80 for the proxy connection. The attempt to access the Wells Fargo online banking site was denied because the browser used an HTTP method (CONNECT) that the proxy does not support:

Deny [source-ip] [destination-ip] http/tcp 1687 80 1-Trusted 0-External ProxyDeny: HTTP Request line parse error (HTTP-proxy-02) src_ip_nat"[firebox-ip]" src_port_nat"11135" proxy_act"HTTP-Client" line"CONNECT online.wellsfargo.com:443 HTTP/1.1\x0d\x0a"

Other request methods The HTTP 1.1 specification allows for extensions to the protocol, and there are extensions to HTTP that define other request methods. However, the HTTP proxy in Fireware does not support any request method that is not defined in RFC 2616.

6


The most common unsupported methods you will see are those used by the Distributed Authoring and Versioning protocol, also called WebDAV or DAV. It lets more than one person edit an entity on the web at the same time, while it keeps track of the versions of the entity. The WebDAV specification adds seven more request methods to the eight defined by HTTP 1.1, and an extension to WebDAV called Delta-V adds another 11 request methods to refine version-ing control.Because these applications use the request methods in WebDAV, they will not work, or will only partially work through the HTTP proxy:

• Web-based mail systems based on Microsoft Exchange, especially Microsoft’s Outlook Web Access but also other customized Exchange-based webmail systems. The functionality of Internet Explorer differs from Mozilla-based browsers because there are some Microsoft-specific implementations of parts of WebDAV in Microsoft’s web server (IIS).

• Outlook Express, when it is configured to get HTTP mail from Microsoft’s Hotmail and MSN Mail services.

• The popular web-based Concurrent Versions System (CVS) SubVersion.When a user’s web browser tries to use one of the Web-DAV request methods, you will see a log message like this in Traffic Monitor:

Deny [source-ip] [destination-ip] http/tcp [source-port] [destination port 80] 1-Trusted 0-External ProxyDeny: HTTP Request method unsupported (HTTP-01) src_ip_nat="[firebox-ip]" src_port_nat="[nat_port]" proxy_act="HTTP-Client" method="PROPFIND"

NoteThe Policy Manager user interface lets you add other request methods to this area, but in Fireware versions 8.3 and previous, the only methods that the HTTP proxy allows are OPTIONS, GET, HEAD, POST, PUT, DELETE, and TRACE.

Rule matchAll the rules that are pre-populated in the list are Exact Match rules. The list of exact matches includes HEAD, GET, POST, OPTIONS, PUT, and DELETE. If you add a rule in Simple View it is added as a Pattern Match.

Action to takeThe proxy can take these actions when it sees an HTTP request method that matches a rule in your list:

• Allow: The proxy allows the method.

• Deny: The proxy denies the method and sends a message back to the client. You can customize this message in the Deny Message area of the HTTP proxy.

• Drop: The proxy drops the request and does not send a message back to the client. The Firebox sends only a TCP reset packet to the client. The client’s browser might display “The connection was reset” or “The page cannot be displayed” but the browser does not tell the user why.

• Block: The proxy denies the method and puts the source of the request on the Auto-Blocked Sites list. If the user was on the Firebox Authenticated User list, the user’s IP address is removed from that list and the user is no longer authenticated. All traffic from an IP address on the Auto-Blocked Sites list is denied for the amount of time specified in Policy Manager at Setup > Intrusion Prevention > Blocked Sites, on the Auto-Blocked tab. Use this action only if you want to stop all traffic from the offender for this time.

Default actionThe default action for a request method not on the list is Deny.

Alarm or logBy default the proxy does not send a log message for request methods in the rules list, but it does send a log message for methods not on the list.

HTTP Request - URL Paths

In this area of the Proxy Action you tell the Firebox to allow or deny connections based on the URL that the proxy sees in the HTTP request. When we talk of the URL in URL path, we mean the entire name of the resource, including the

7


domain name. For our example from the WatchGuard web site, URL in the URL path means www.watchguard.com/support. Fireware compares the URL, including the entire domain name, with the rules you enter here.

Rule matchThere are no rules pre-populated in the list. If you add a rule in Simple View it is added as a Pattern Match. You can use rules in this area of the proxy to block an entire domain or your rule can match a certain word or pattern.

Block a domain and paths in the domainFor example, to block any path in the www. myspace.comdomain, you can make a pattern-matching rule www.myspace.com*. That would match www.myspace.com, www.myspace.com/, www.myspace.com/register, and any other URL that starts with www.myspace.com. However if a user goes to http://myspace.com, such a rule would not match because the URL does not use the www subdomain. It would also not match invite.myspace.com or groups.myspace.com. You can place a wildcard in front to match the myspace.com domain and any subdomain, and a wildcard at the end to match any path in that domain. Then your pattern-matching rule would be *myspace.com*.

Block a file name extensionAnother example is to make a rule to match any URL that contains the common three-character file extension for many Windows executable files, .exe. A simple pattern-match does this: *.exe matches any URL that ends with .exe and such a rule would match many HTTP requests for executable files with that file extension. Unfortunately, there is no guarantee that an executable file has this file extension. You can make a more positive identification of the contents of a file by making the proxy look at the file’s actual contents. In the Body Content Types section you’ll learn how.

Action to takeThe actions for this area of the Proxy Action are the same as for the previous one with one addition:

AV ScanThis option is available only if you have a current license for Gateway AntiVirus. The response from this request will be scanned for viruses when the client’s HTTP request matches a rule that uses AV Scan for the action. The Firebox does not send a message to the client if a connection is denied because of a virus signature match; it sends only a FIN packet to close the connection. Because the GAV engine does not cache data before sending it to clients, the end user may see a partially downloaded web document before the connection is terminated.

Recommendation:Use URL Path rules to block requests you consider dangerous or unacceptable, such as the .exe example above. If you prevent requests, content you want to block never reaches the Firebox and the proxy does not have to spend resources scanning content. If you have a rule to deny a connection, use the Deny action to make the Firebox send a message to the client’s browser. This is the only way the client can learn why the connection was denied. The user whose connection was denied can contact you for further investigation. Do not use the Block action unless you want to make sure the client can send no traffic at all after it violates the rule.

Default actionIf a URL does not match any rule in the list, the connection is allowed.

Alarm or logBy default the proxy does not send a log message for any rules.

HTTP Request - Header Fields

HTTP uses headers in both requests and responses. This ruleset lets you allow or strip HTTP request headers. The browser uses request headers to send cookies to the server, to tell the server what version browser is in use, what lan-guage is preferred, and other information about what type of data the client will accept. The proxy checks all request headers against the rules you add. It looks at each header’s name and its value.

8


Rule matchBy default, the Firebox uses pattern matching rules to strip Via and From headers, and allows all other headers. There is a rule for the Referer header but it is disabled.The Via header can be added to a client request by proxy servers to perform such operations as track message for-wards and avoid request loops. You can strip the Via header to protect client privacy. The From header passes the user’s email address to the server. Most browsers today either do not support the From header, or they send an anonymous address such as [email protected]. The proxy strips the header by default so that email addresses cannot be used by bulk mailers.Clients use the Referer header to send the address (URI) of the resource from which this request-URI was obtained. In other words, sometimes when you click on a link, your browser sends information about the site you just came from. This lets the receiving server gather statistics, optimize caching, trace bad links, and so on. Some users feel it is a breach of privacy to tell any server what previous site referred the user to visit this site. Some sites do not allow con-nections if the Referer field is not present or if the referer is not a certain domain. In addition, many CGI scripts that run on the web server rely on the Referer header to make sure the HTTP request comes from a previously scripted event. This is becoming less common as web security professionals realize that the header is easily spoofed. Because stripping this header causes some connections to break, the rule is disabled by default.

Recommendation:Keep the defaults unless you are familiar with the header you want to strip and know the consequences if you strip it. Most request headers the client sends are necessary for the server to know the intentions and the capabilities of the client.

Action to takeThe actions to take when a header matches a rule include only Strip and Allow. You cannot use these rules to make the Firebox terminate a connection or to block a client or server if a header matches a rule.

Default actionThe default action is to allow any request headers that do not match a rule in the list.

Alarm or logNo log messages are sent by default.

HTTP Request - Authorization

This ruleset determines the type of authentication mechanism clients can use when a web site asks the user for authorization. This is the popup that you see when prompted to log in to a secure site. When a client’s HTTP request is for something that requires authorization, the web server starts the authentication process. It sends the client a 401 response (Unauthorized or Authentication Required), along with one or more WWW-Authenticate: headers. This header begins a challenge to the client to prove it is authorized to access the data. The user types a user name and password into the popup box, and the client application (the browser) formu-lates the response. The browser sends the credentials as part of an Authorization: request header in its next request.The first value in a WWW-Authenticate header tells the client which authentication method (or scheme) it can use. This value is the main item the proxy looks for when it checks this ruleset. The server can send more than one WWW-Authenticate header to indicate that it accepts more than one authentication type, and the client uses the strongest scheme it supports. The HTTP proxy looks at the authentication scheme listed in each WWW-Authenticate header to see which schemes your ruleset allows.Here is a typical set of WWW-Authenticate headers, from the web configuration pages of a WatchGuard SOHO 6 Fire-box. They tell the client that it can use Basic or Digest authentication to access the SOHO’s web interface:

WWW-Authenticate: Basic realm="WatchGuard SOHO 6 Configuration”

WWW-Authenticate: Digest realm="WatchGuard SOHO 6 Configuration",qop="auth",nonce="4d0ea81c998bd95d2f33ccd8d23b1daa23"

9


Authentication methodsThe preconfigured HTTP Client proxy allows these authentication methods. Note that many web sites do not use any of the methods listed; instead, the method for encoding and transmitting credentials is coded into the web applica-tion.

BASICThis is the least secure of all authentication methods. The user name and password are transferred without encryp-tion. They are encoded with only Base64 encoding, which is easy to decode.

Recommendation:Although BASIC authentication has been replaced by the more secure DIGEST method in many places, it is still used by some servers. Allow this scheme only after you seriously consider its risks.

DIGESTDIGEST authentication is more secure than BASIC because the password is not sent. Instead, the browser takes the user’s password, together with several other unique values, to make a one-way cryptographic digest (also called a hash or a checksum) of all these values. The server has access to the user’s password, and to the same values the client used to create the checksum, so it computes the checksum as well. If the server’s result for the checksum matches the client’s result, the server knows the user has the correct password. However, DIGEST does not guarantee message integrity. Even though the user’s password is never sent, man-in-the-middle attacks are possible.

Recommendation: Allow this common HTTP authentication method.

NTLM NTLM HTTP authentication is a proprietary Microsoft implementation of HTTP authentication that allows clients to use their Windows credentials to access resources. For several years Internet Explorer was the only browser that could use it, but today Firefox, Netscape, and other browsers have NTLM functionality built in as well. The HTTP version of the NTLM protocol lets the client and the server negotiate to choose the most secure version that both can use. The server and client can also agree to use Kerberos, which provides solid security, through the HTTP NTLM authentica-tion process.NTLM is often used to authenticate to a Windows-based proxy server, and is also used for direct authentication to some Windows web servers. It is considered to be weaker than DIGEST because in some cases the LAN Manager hash of the user’s password can be extracted from an exchange of Base64-encoded messages, and this hash is vulnerable to well-known cracking tools. In addition, NTLM is not a per-request authentication like BASIC and DIGEST. Instead, it is connection-oriented: once authenticated, a user is not asked for credentials again until the TCP session is termi-nated. That makes it risky for external authentication to a proxy server, because if the proxy server is compromised the user’s credentials can be reused to access other systems in the same Windows domain. Because of this, Internet Explorer by default restricts the use of NTLM to IE’s Local Network zone only. NTLM does not work through some proxy servers for this reason and for other connection-related reasons.

Recommendation:For the highest security, allow this authentication method only if you are confident that server and client will negotiate to use NTLMv2 or Kerberos for the HTTP authentication. (The proxy cannot determine which version of NTLM the client and server negotiate to use in the transaction; it can only allow or strip the WWW-Authenticate header if it indicates to use NTLM.)

Passport1.4Passport is Microsoft’s proprietary authentication mechanism for central authentication of users. It is rarely used today.

Rule matchThe rule for each authentication type is by default an exact match. The proxy looks at the value in any WWW-Authen-ticate response header field and compares it to the rules here.

10


Action to takeThe proxy can take one of two possible actions when a rule matches: Allow the authentication scheme or Strip it. You cannot use these rules to make the Firebox block a site or terminate a connection.Note the client’s request is not stripped; the WWW-Authenticate header in the server’s response is stripped. If you have a rule to strip a certain authentication scheme, the proxy strips any WWW-Authenticate response header sent by the server that has that authentication scheme as the value. Remember that a server can send more than one WWW-Authenticate header to indicate it accepts multiple schemes. If your proxy rules strip BASIC but allow DIGEST, and the server accepts both authentication schemes, the client is forced to use the stronger DIGEST scheme because it never knows that the server accepts the BASIC method. The BASIC method is stripped, so the client does not see it as a possible authentication scheme to use. This protects your network from information disclosure from older browsers that do not support DIGEST.

Default actionThe default action is to Strip.

Alarm or logBy default, a header that is stripped because it does not match a rule causes a log message. Here is an example log message:[date] [time] Allow [source-ip] [destination-ip] http/tcp 3082 80 1-Trusted 0-External Prox-yStrip: HTTP Header auth scheme match (HTTP-proxy-02) src_ip_nat="[firebox external ip]" src_port_nat="[nat_port]" proxy_act="HTTP-Client.1" rule_name="Digest" scheme="Digest" When there is no rule to allow the authentication scheme, the HTTP proxy sends the HTTP Deny message to the cli-ent. In this case the reason that Fireware uses for the %(reason)% variable in the deny message is: all proposed authentication schemes denied.

HTTP Response - General Settings

Use this ruleset to configure these basic HTTP response parameters. If you set any of these values to 0, the Firebox ignores the option.

Idle TimeoutAmount of time the proxy waits for a response from the server after the client issues a request.

Recommendation:Keep this setting enabled to make sure stale TCP connections are closed. This helps the Firebox conserve memory.

Set the maximum line lengthTotal length of one line in an HTTP response line or header. The default is 4096 bytes.

Recommendation:Keep this at the default setting. A long unterminated line can be an attempt to exploit a buffer overflow.

Set the maximum total lengthHTTP header field values can be folded onto multiple lines if the continuation line begins with a space or horizontal tab. This setting sets the maximum total length of a response line or a header field.

Recommendation:HTTP does not set any line length limitations. The limit in Fireware defaults to 16384 bytes, even when you do not select the check box to activate this setting. Leave this setting at the default to protect against possible exploits.

HTTP Response - Header Fields

This ruleset controls which HTTP response header fields the Firebox allows. Some HTTP headers are critical for proper operation of the HTTP protocol. The current HTTP 1.1 specification defines about 50 different header fields. The HTTP proxy allows most of these by default and strips all others.

11


Rule matchBy default there are 49 rules to allow the most common header fields. These rules are all pattern matching rules. Each rule matches a header field name only, and allows any value for the header. If you add a rule to allow or deny a header, by default it is a pattern-matching rule. You can switch to Advanced View if you need to make a more complex rule that matches a header field only if it matches certain values.

Action to takeA rule here can be set to Allow a header or to Strip it. You cannot use these rules to make the Firebox block a site or terminate a connection.

Default actionBy default, any header that does not match a rule is stripped.

Alarm or logBy default, a header that is stripped because it does not match a rule causes a log message. Here is an example log message:[date] [time] Allow [source-ip] [destination-ip] http/tcp 3082 80 1-Trusted 0-External Prox-yStrip: HTTP Header match (HTTP-proxy-02) src_ip_nat="[firebox external ip]" src_port_nat="[nat_port]" proxy_act="HTTP-Client.1" rule_name="Default" header="X-AspNet-Ver-sion: 1.1.4322\x0d\x0a"

Recommendation: It is generally good security practice to deny everything except what you specifically deem to be safe. The headers in the default list are generally needed for the HTTP protocol to operate and are safe to allow. Because it is difficult to find the purpose for many custom headers, we suggest you leave the default Strip rule for headers that are not specifically allowed. If the amount of logging generated by the default Strip action is excessive, turn off logging for the default Strip rule. It is possible that you can have a connection problem when a response header is stripped and the header is not one of those that are allowed by default. If you suspect that a problem is caused by a stripped response header, turn this logging back on.

HTTP Response - Content Types (MIME Types)

This ruleset lets you allow or deny content based on the Content-Type header associated with an HTTP message. The content type of an HTTP message body is also called the MIME type. MIME is a standard for representing arbitrary binary content in Internet messages.When a web server sends content in response to a GET request, the content in the message body is always preceded by one or more headers. The Content-Type header is one of the headers that can precede the message body. This header tells the client application (normally this is the web browser) how to interpret the HTTP message body.

Format of the Content-Type header The value for the Content-Type header has a well-defined structure: a main media type (such as text, image, or audio), followed by a slash “/”, followed by a subtype. You can use a wildcard character (*) to match any subtype of the given type. For example, text/* matches any one of over 20 subtypes such as text/html or text/plain. Similarly, image/* matches any content type that indicates any image type, such as image/.gif or image/jpeg.

About application/octet-streamThis is the default, generic content type a server assigns to a file when the server has no other content type associ-ated with it, when the server is not configured correctly, when the application the server is running is coded poorly, or when the application developer did not assign one. In some situations you may need to allow this content type. For example, many Microsoft Windows Update files have application/octet-stream for the content type. If you must allow this content type, it is highly recommended that you use the AV Scan action for this content type. (A license is required for this add-on service.)

About missing content types

12


Sometimes a server is so badly misconfigured that no Content-Type header precedes the message body at all. Or, the Content-Type header is present but the value is null (blank). The (none) rule in the default HTTP-Client proxy is a blank rule to match the null content type. It is not enabled by default. You must switch to Advanced View to enable it.

How the client uses the Content-Type headerSome operating systems use the Content-Type and some use internal file type definitions to determine what to do with a file. Browsers and other applications can also ignore MIME types and use other methods to render or run files. Depending on the value of the Content-Type header, the client computer’s operating system, and the client applica-tion that requested the data, the client can:

• Render the content as a web page in a browser

• Call a plug-in (such as the Adobe Acrobat Reader plug-in or the Apple QuickTime or Windows Media Player plug-in) to help render the content in a browser

• Prompt the user to save the file to disk

• Call a different application to open the file

• Tell the client application to do other things

Although HTTP shares many properties with the MIME specification, it is not a MIME-compliant protocol. It is impor-tant to understand the limitations of the Content-Type header:

• The Content-Type header is an optional header. It is not required by the HTTP specifications, but it is helpful enough to client applications that most message bodies have one.

• Some message bodies do not have a preceding Content-Type header at all. To allow content that has no Content-Type header, enable the none rule (see the About missing content types section above).

• The Content-Type header can be incorrect. It can use the wrong value for the actual content because of server coding errors and misspellings.

• The value for the header can be null (empty).

• The header value can be intentionally spoofed in an attempt to deceive a client and trick it into running a vulnerable application.

Rule matchThe proxy gives you a list of many predefined MIME types from which to select, or you can make your own rules. To see the predefined list, click the Predefined button when you have this ruleset in simple view.By default, the Firebox allows some safe content types. It denies all other MIME content types, including data that has no specified content type.Some Firebox administrators use a simple wildcard pattern such as * or */* to allow all MIME types, or they set the None Matched rule to Allow. Instead of filtering for MIME types, they rely on two other rulesets to protect clients:

• They use the URL Paths ruleset in the HTTP Request area to block requests for possibly malicious files. They make rules to match familiar three-character file extensions, and use a Deny action to block access to those paths.

• They make rules in the Body Content Types ruleset to match byte strings for risky content.The primary reason Firebox administrators choose this strategy is the large number of MIME types that must be allowed for normal business operations. However, because the proxy checks the Content-Type header before examin-ing the entity for Body Content (byte string matching; see the Body Content section below), filtering on MIME type can reduce the load on your Firebox by stopping content before it gets to the Body Content part of the proxy check-ing procedure. Also, before the server even has a chance to send content, you can block requests for files with well-known file exten-sions using the URL Paths ruleset in the HTTP Request section. Rules in this section prevent the server from even see-ing a request, so content never reaches the Firebox.

Action to takeA rule here can be set to Allow a header or to Strip it. You cannot use these rules to make the Firebox block a site or terminate a connection.

13

bodycontent


Default actionBy default the HTTP proxy uses the Deny action to deny any content identified by a Content-Type header that is not on the list.

Alarm or logHere is a typical log message for content that was denied. The rule_name="Default" at the end means that there was no rule for this MIME type, so the default action applied. The content type is at the end of the log message so you can easily make a rule to allow it if this meets your needs. Note that the quotation marks are not part of the content type. To allow the content type in this example, add a rule for application/x-javascript, not “application/x-javascript”.

[date] [time] Allow [source-ip] [destination-ip] http/tcp 3082 80 1-Trusted 0-External ProxyDeny: HTTP Header content type match (HTTP-proxy-02) src_ip_nat="[firebox external ip]" src_port_nat="[nat_port]" proxy_act="HTTP-Client.1" rule_name="Default" content_type="application/x-javascript"

Recommendation:Filtering by content type can be an effective tool, but you should not use it as the only part of your users’ defense on the web. The HTTP proxy offers additional defense-in-depth mechanisms that augment content-type checking. Use the layers of the proxy to your advantage by making rules in the URL Paths ruleset (see the HTTP Request area of the proxy, above) to block requests for common file extensions of files you want to block. When a request is blocked by the Firebox, there is no chance for the server to respond with dangerous content.

HTTP Response - Cookies

Web servers use the response header Set-Cookie: to put a cookie on the client’s computer. When the client makes an HTTP request after this, and the request is for something in the same domain, the client sends an HTTP request header Cookie: to give the server the cookie for this domain.Like all HTTP headers, Set-Cookie has a header field name [Set-Cookie], a colon [:], and the contents of the cookie. The contents of one cookie can include several values and sub-values, separated by commas and semicolons. The HTTP proxy looks at one value in the cookie to match the rules in this ruleset: the domain from which the cookie came. Here is an example Set-Cookie response header:

Set-Cookie: PRpb=yhoomy; domain=ads.pointroll.com; path=/; expires=Fri, 01-Jan-2010 00:00:00 GMT;

Rule matchThere are no rules in the default HTTP Client proxy action because by default all cookies are allowed. A rule that you add to your proxy action matches a domain name. Every cookie has a string that starts with domain= . The value after the equal sign tells what domain the cookie can be used for. Sometimes it is an absolute fully-qualified domain name, such as yahoo.com (indicating that the cookie is valid only for the main yahoo domain), or it can begin with a dot to indicate that the cookie pertains to any subdo-main. For example if the cookie contains <domain=.yahoo.com> then the cookie is valid for any subdomain of yahoo.com. If the cookie contains <domain=my.yahoo.com> then the cookie is valid only for that part of the yahoo domain (the my.yahoo.com domain is for users that create personalized yahoo pages). To match a cookie with a leading dot for any subdomain, use a rule that begins with the asterisk (*) wildcard. For example, to block cookies from hitbox.com or any of its subdomains, make the rule *hitbox.com.

Action to takeYou can select to Strip cookies from a certain domain or you can Allow them. You cannot use these rules to make the Firebox block a site or terminate a connection.

Default actionThe default rule is to allow all cookies. If your proxy action has no rules in this area, and you turn on logging for the None Matched (or Default) Allow rule, you can see all the cookies that web servers send to your users.

Alarm or logNo log messages are sent by default. You can turn on logging for the None Matched rule to see all the cookies han-dled by the Firebox.

14


Recommendation:Read the two-part LiveSecurity® article “Fireware vs. the Cookie Monster”, contributed by David Piscitello: Part 1: https://www.watchguard.com/archive/showhtml.asp?pack=35469 Part 2: https://www.watchguard.com/archive/showhtml.asp?pack=35518 In this series, Mr. Piscitello examines the type of information that cookies collect and how it can be used against you or your organization. The series also offers strategies to help you decide which cookies to block.

HTTP Response - Body Content Types

This ruleset gives you control of the actual content in the body of an HTTP response. The proxy compares the raw content of the response body to see if it matches any rules here. This is one of the most powerful parts of the HTTP proxy because it lets you allow or deny content based on the actual byte stream of the response body.The proxy looks at the data stream byte-by-byte. The rules you make here can match part of the byte stream in its hexadecimal representation. If the part of the stream you want to match can be represented as ASCII text, your rule can match ASCII characters.

What is body content?An HTTP message is essentially some headers, followed by the message body. Many users think of the HTTP message body as only the web page that the browser renders. However, HTTP allows for transporting any kind of content, not just content that the browser can display. If the client can make a GET request for a file, and the web server has the file, any type of file can be transferred.

What is raw, actual content?This is the binary representation or the byte-by-byte representation of the data. Because the HTTP proxy examines a byte at a time, it is more efficient to look at the hexadecimal representation of the data stream.

What does a rule try to match?The purpose of a rule in this section of the proxy is to find a sequence of bytes that will always be in an entity you want to identify. A pattern like this is often called a sequence of “magic bytes”, after the UNIX file named magic. The UNIX magic file refers to “magic numbers” instead of magic bytes, but the concept is the same – a sequence of bytes that is the same for any file of the same type. For example, not all Windows executable files are identical, but most all Windows executable files begin with the same sequence of bytes: 0x4D5A (in hexadecimal) or MZ (in ASCII).This pattern of bytes that is common to all files of the same type is often called a file header. The word “header” is used because with many files, the pattern that identifies the file is at or near the very beginning of the file. This is usually but not always the case—identifying bytes can be anywhere in the file. The number of bytes into the file that the pat-tern starts is called the offset. Additionally, a file can be edited in its raw form using a tool called a hex editor to put something else at the beginning of the file in an attempt to fool utilities that scan files. [reference URL: http://www.securityelf.org/magicbyte.html]

Does the pattern have to be a hexadecimal pattern?No. Because each character in the ASCII character set can be represented by a two-digit hexadecimal sequence from 00 through 7F, many byte signatures can be represented as ASCII text. In many cases, the byte string that positively identifies the file type is readable as text if you open the file in a text editor.

Where can I find byte patterns to use in my rules?Here are a few good resources:

• For a searchable database of many file types, go here: http://filext.com/ The filext.com site also has an FAQ on how you can look in to a file with a binary file viewer to see the hexadecimal structure of the file: http://filext.com/info/showthread.php?t=21

• For a useful utility that identifies files, and a collection of over 2,000 file type definitions with byte signatures, go here: http://mark0.net/soft-trid-e.html

15

https://www.watchguard.com/archive/showhtml.asp?pack=35469

https://www.watchguard.com/archive/showhtml.asp?pack=35518

http://www.securityelf.org/magicbyte.html

http://www.securityelf.org/magicbyte.html

http://filext.com/

http://filext.com/info/showthread.php?t=21

http://mark0.net/soft-trid-e.html


This site’s collection of file type definitions is not searchable, but you can download the collection of definitions to use with the TrID utility. You use Marco Pontello’s TrID utility to identify an unknown file.

• The Fireware Board in the WatchGuard User Forum includes a conference for users to share Body Content Type rules they have created. Registration at the WatchGuard User Forum is easy. Go here: http://www.watchguard.com/forum The WatchGuard User Forum is a community of WatchGuard users helping other users. The Forum is separated into different boards, one for each type of Firebox WatchGuard sells. Each board is further divided into conferences, covering every aspect of that device’s operation.

Rule matchBy default, the Firebox is configured to deny Java applets, Zip archives, Windows EXE/DLL files, and Windows CAB files.

Actions to takeThe proxy can take these actions when it sees an HTTP message body that matches a rule:

• Allow: The HTTP response continues to flow to the client.

• Deny: The proxy denies the method and sends a message back to the client. You can customize this message in the Deny Message area of the HTTP proxy.

• Drop: The proxy immediately drops the connection. No message is sent to the source of the HTTP response.

• Block: The proxy denies the method and puts the source of the response on the Auto-Blocked Sites list.

• AV Scan: This option is available only if you have a current license for Gateway AntiVirus. The response from this request will be scanned for viruses when the client’s HTTP request matches a rule that uses AV Scan for the action.

Default actionBy default, HTTP message bodies that do not match a rule here are allowed.

Alarm or logHere is an example log message from a user trying to download a Windows executable file. The download was denied by the default Windows EXE/DLL Body Content Type rule: [date] [time] Deny [source-ip] [destination-ip] http/tcp 3082 80 1-Trusted 0-External Proxy-Deny: HTTP Body content type match (HTTP-proxy-02) src_ip_nat="[firebox external ip]" src_port_nat="[nat_port]" proxy_act="HTTP-Client.1" rule_name="Windows EXE/DLL"

AntiVirus

If some content is successfully scanned and no virus is found, the Firebox takes no action, the proxy lets the response through, and the client is not aware that a scan was performed. When the AV scanning engine looks at some content, two circumstances can trigger the proxy to take action:

A virus is detectedThe Firebox AV Scan engine found a match on the list of viruses.

An error occursThe most common reason an error occurs during scanning is that the content is inside a compressed file that is password-protected. The scan engine recognizes archived files and it can decompress archives, but it cannot decompress an archive that requires a password to decompress it.

Actions to take• Allow: The HTTP response continues to flow to the client.

• Drop: The proxy immediately drops the connection. No message is sent to the source of the HTTP response.

• Block: The proxy denies the method and it puts the source of the response on the Auto-Blocked Sites list. All traffic from an IP address on the Auto-Blocked Sites list is denied for the amount of time specified in Policy Manager at Setup > Intrusion Prevention > Blocked Sites, on the Auto-Blocked tab. Use this action only if you want to stop all traffic from the offending site for this time.

The default action for both items in this section is Drop.

16

http://www.watchguard.com/forum


NoteWhen the Firebox drops the HTTP response, it is likely you will continue to see log messages for some time after the Drop event, as the source continues to send the rest of the response. You can recognize these denied responses because the source port is the same port used for the original client-server socket. Most often, this is port 80 with HTTP.

Why doesn’t the client get a message in the browser when AV scan finds a virus?The AV scanning engine for HTTP is an inline engine; it is not a store-and-forward engine. Because in-line scanning does not cache the data before it sends packets to the client, the HTTP proxy cannot replace the partially down-loaded entity (web document or file) with a customized proxy deny message to notify the user that a virus was found (or that an error occurred).

Deny Message

The ruleset lets you customize the deny message that a client sees in the browser when a request or a response vio-lates any rule in your Proxy Action that has its action set to Deny.

NoteThe Firebox sends the message only when something triggers a rule that has action set to Deny. A rule set to Block, Strip, or Drop does not cause the proxy to send this message.

These rulesets in an HTTP Proxy Action can have rules with action set to Deny:

• Request Methods ruleset in the HTTP Request section

• URL Paths ruleset in the HTTP Request section

• Content Types ruleset in the HTTP Response section

• Body Content Types ruleset in the HTTP Response section

• Intrusion Prevention ruleset in the next section (A license is required to use the Intrusion Prevention System)

Tips on writing the Deny messageAlthough this FAQ does not include basic information on HTML, here are some rules and tips:

• Use only US-ASCII characters in the message. (This is true for every configuration parameter in the Firebox XML configuration file.)

• The first lines in the message should be HTTP headers that the browser needs to interpret the message body. For example, use a Content-type header with a charset declaration that tells the browser to render the message body with the UTF-8 character set. This character encoding lets you use the Unicode representation of non-ASCII characters. For more information about using Unicode in your deny message to make the browser show non-ASCII characters, see the FAQs at: https://www.watchguard.com/support/fireware_howto/

• Immediately after the HTTP headers in your message, add a blank line. This tells the browser that there are no more headers and the subsequent text is the message body.

• These system variables are available to put in the Deny message: %(transaction)% Puts “Request” or “Response” to show which part of the transaction caused the packet to be denied.

%(reason)% Puts the reason the Firebox denied the content. %(method)% Puts the request method from the denied request. %(url-host)% Puts the server host name from the denied URL. If no host name was included, the IP address of the server is given.

17

https://www.watchguard.com/support/fireware_howto/


%(url-path)% Puts the path component of the denied URL.

• You can use any standard HTML tags, including meta-tags. For example, use an href tag that uses mailto: to include a link in the page that users can click to mail you the reason that something was denied. A line like this in your message does this: Click <a href="mailto:[email protected]?subject=I got blocked!&body=Here are the details for the Firebox blocking me: %0A%0 A%(transaction)% %0A %(reason)% %0A Method=%(method)% %0A Host=%(url-host)% %0A Path=%(url-path)%">here</a> to mail the details of the block and our IT department will look in to it. When a user clicks on this link, the user’s email client starts a new message to the address after the mailto: link with the subject line and message body filled in.

Intrusion Prevention

Use the Intrusion Prevention ruleset to enable the Intrusion Prevention Service to monitor HTTP client connections to look for signatures that match those in the Intrusion Prevention Service database. (You must purchase a license for the optional Intrusion Prevention Service.)The Intrusion Prevention System compares HTTP requests, responses, and message body content against a database of signatures that your Firebox downloads periodically. The signatures come from various open-source resources and from WatchGuard’s own development team. There are several categories of signatures, such as signatures that iden-tify instant messaging applications, spyware, attempts to exploit known vulnerabilities in popular programs, and backdoor trojan programs. To see the list of signatures, connect to Firebox System Manager, click the Security Ser-vices tab, and then click the Show button in the Intrusion Prevention box.

Rule matchYou cannot make any rules of your own in this ruleset. Instead, you select the check boxes for the signature categories you want the Firebox to look for. Make sure you select the appropriate signature set for the purpose of your HTTP Proxy Action. On the General tab:

• Select the Server check box if you use this HTTP Proxy Action to protect a web server behind your Firebox

• Select the Client check box if you use this HTTP Proxy Action to protect clients behind your Firebox.

Actions to takeThe proxy can take these actions when the Intrusion Prevention System is triggered by a signature match:

• Allow: The proxy allows the connection.

• Deny: The proxy denies the connection and sends a message back to the client. You can customize this message in the Deny Message area of the HTTP proxy. The %(reason)% variable that shows in a deny message is: Reason: IPS matched signature id='[signature id number]'

• Drop: The proxy drops the connection and does not send a message back to the client. The Firebox sends only a TCP reset packet to the client. The client’s browser might display “The connection was reset” or “The page cannot be displayed” but the browser does not tell the user why.

• Block: The proxy denies the method and puts the source of the response on the Auto-Blocked Sites list. All traffic from an IP address on the Auto-Blocked Sites list is denied for the amount of time specified in Policy Manager at Setup > Intrusion Prevention > Blocked Sites, on the Auto-Blocked tab. Use this action only if you want to stop all traffic from the offending site for this time.

Default actions for different categoriesBy default, the proxy uses these actions:

• Deny for signature matches in the High and Medium Severity categories, for IM signatures, and for P2P signatures.

• Allow for signature matches in the Low Severity category.

• Drop for signatures that match anything in the Spyware category.

18


Alarm or logHere is a typical log message from an Intrusion Prevention System event: [date] [time] Deny [source-ip] [destination-ip] http/tcp 3082 80 1-Trusted 0-External Proxy-Deny: HTTP Header IPS match (HTTP-proxy_out-00) proxy_act="HTTP-Client.2" ips_msg="WEB-IIS directory traversal attempt(Bugtraq-1806,CVE-2000-0884,Nessus-10537)" signature_cat="http-request-server" signature_id="35033"

Proxy and AV Alarms

The Proxy Alarm ruleset lets you define the type of alarm that is sent any time a notification is triggered by an HTTP-Client ruleset. There are only two boxes in this area of the HTTP proxy: Send SNMP Trap and Send Notification. There is more information in the User Guide about configuring SNMP and Firebox notifications.

19

SUPPORT: www.watchguard.com/supportU.S. and Canada +877.232.3531All Other Countries +1.206.613.0456

COPYRIGHT © 2006 WatchGuard Technologies, Inc. All rights reserved.WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries.

Was this document helpful? Please send your feedback to [email protected].

mailto:[email protected]

HTTP Proxy Outgoing Proxy Action

Documents

Transcript of HTTP Proxy Outgoing Proxy Action