Great Circle Associates Firewalls
(April 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Round-Robin DNS
From: Steve Gibbons <steve @ aztech . net>
Date: Thu, 04 Apr 1996 21:56:40 -700
To: Firewalls @ GreatCircle . COM
Cc: _steve @ aztech . net 
On Thu, 4 Apr 96 08:54:17 PST, Bill Stout <bstout @
 osc .
 hitachi .
 com> wrote:

# At 08:06 PM 4/3/96 -0600, you wrote:
# >
# >Hello everyone. This is my first question on this list so please forgive
# >the a little bit off-topic. I need to run round-robin DNS for my web servers.
# >How is it done and what does it entail in terms of security ? 

# This is what a round-robin site looks like:

[ Deletia ]

# >In light of 
# >recent DNS/Java exploit discussions I'd like to know what the security 
# >gurus here think of the idea in general, and particluarly applied to 
# >filrewalls, etc. 

# I know of no relation of DNS round-robin to security, or Java.  Java runs at 
# an application layer higher (user?) than what firewalls can filter, firewalls 
# in general are useless against Java attacks, which are at this point only 
# used against browsing web clients, not servers.

First, some background:  The exploit in question would have allowed some 
browsers to mount active attacks against any system behind some firewalls.
(Admittedly, this seems to be implimentation dependant, but (as with most
things) it's not the 80% that you worry about, but the 20%.

Another comment: HTTP proxies already exist that will filter-out Java and
JavaScript.  The biggest problem at this point is with performance, since they
(the proxies) have to examine and filter the entirety of every HTML document 
as it passes.

Details:

Netscape Navigator 2.01 and Sun's JDK 1.0.1 effectively disabled round-robin
and other load balancing mechanisms, forcing the client to only connect to the 
same IP address that the java applet was downloaded from.  (In the client's
default configuration.)  If you're interested as to why they did that see <URL:
http://www.aztech.net/~steve/java/> or CERT advisory CA-96.05, if you think
that I'm "blowing smoke."

I work for a Fortune 100 financial institution.  I think Java has a lot of
potential for "good stuff."  Having said that, I wouldn't trust 
Java-behind-a-firewall (in its current state) farther than I could throw a
large RS/6000.

I speak from experience.  After only a few hours of browsing globally available
source code, and a good night's sleep, I came up with an idea for an "attack"
that turned out to be quite feasable (and eventually lead to CA-96.05). For the
record, this was not (initially) the full-source-code distribution, just the
base Java code.  I'm sure  that others who are much more malicious than I, who
are much more familiar with Java, have more resources at hand, and will 
continue to have similar experiences.

As usual, comments are welcomed,

--
Steve @
 AZTech .
 Net
Indexed By Date Previous: quit
From: oliver <dluo @ cwis . unomaha . edu>
Next: Re: cisco logging for firewalls
From: Paul Ferguson <pferguso @ cisco . com>
Indexed By Thread Previous: Re: Round-Robin DNS
From: Bill Stout <bstout @ osc . hitachi . com>
Next: Re: AW: Re: Re[2]: Redundant Internet Connec
From: Adam Safier <asafier @ explorer . csc . com>
Google
 
Search Internet Search www.greatcircle.com