[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] I'm being asked to make this change... Comments? (long)
We have users that access the NCCI website for information. Recently, that access started failing. This is the response I got from the support staff at NCCI, and I'm wondering if anyone else has encountered this before or has any comments on the recommended solution. (Sorry this is so long.) Thanks, Geoff -------------------------------------------------------------------------- NCCI implemented a new authentication product several weeks ago so that we could better serve our customers. This product runs on our internal servers and results in addtional cookies being transmitted back to any user who logs into any of our products. These cookies enable the services to be personalized for that user and enable NCCI to setup new customer accounts much more quickly. The vast majority of our users have not reported any problems since these changes, however a small group of about 40 companies have not been able to access these website products since this change. The error they get is either "Page Cannot be Displayed" in Internet Explorer or "Document Contains no Data" error in Netscape. After alot of research we now believe we know what has caused this problem and how to fix it. All of the companies we have contacted so far use Checkpoint Firewall-1, the most popular firewall product. Checkpoint has a HTTP Security Server which is activated whenever the firewall is configured so that users authenticate to the firewall or whenever you run any Content Vector Protocol (CVP) products. CVP products include antivirus products and products that control or monitor where users go on the Internet. These products activate the Checkpoint HTTP Security Server whether the firewall administrator specifically activated it or not. The Firewall-1 HTTP Security Server proxies the HTTP connection. The firewall accepts the browser connection and responds to the client. The firewall then opens a new set of connections of its own to the server. In making this new connection as proxy the firewall must handle the HTTP headers. This is done through buffering with a fixed length buffer. The default header length the firewall security server uses is 1024 bytes. The HTTP header size for the request to NCCI exceeds this maximum length. Non-CheckPoint Firewalls and proxies might have the same limitation. It is not uncommon for header sizes to exceed 1024 bytes. Most web servers support header sizes up to a maximum header size of 4096 bytes. We have found so far that the companies who experience problems accessing our site are using a Checkpoint firewall, have an activated HTTP Security Server and have not made changes to increase the size of this buffer space from the default setting of 1024 bytes. RFC2109, which details the "HTTP State Management Mechanism", states that systems should provide support for cookies at least 4096 bytes in size. Here is an excerpt from this document: "...general-use user agents should provide each of the following minimum capabilities individually, although not necessarily simultaneously: * at least 300 cookies * at least 4096 bytes per cookie (as measured by the size of the characters that comprise the cookie non-terminal in the syntax description of the Set-Cookie header) * at least 20 cookies per unique host or domain name User agents created for specific purposes or for limited-capacity devices should provide at least 20 cookies of 4096 bytes, to ensure that the user can interact with a session-based origin server. The information in a Set-Cookie response header must be retained in its entirety. If for some reason there is inadequate space to store the cookie, it must be discarded, not truncated." Following the aforementioned changes at NCCI a few weeks ago, NCCI now sends cookies that are larger than 1024 bytes but are well within the limits of the HTTP protocol standard. The "Page Cannot be Displayed" error in Internet Explorer and the "Document Contains no Data" error in Netscape are caused when a cookie header greater than 1024 bytes is transmitted to your site. Your HTTP Security Server attempts to parse it for analysis but it gets truncated due to the small default setting for the buffer. It is subsequently discarded. The result is "Page Cannot be Displayed" or "Document Contains no Data" and perhaps even an "Error 10053" error message in Microsoft Proxy Server, a generic error message that indicates a Winsock TCPIP connection failure. Checkpoint has told us that the default setting of 1024 bytes in their HTTP Security Server has been a "known problem" for almost two years. They recommend increasing the size of this buffer by manually adding a couple of lines in the object.c file as follows: 1) stop the firewall 2) backup the existing objects.c file to objects.bak or something similar 3) open objects.c with text editor and search for "http" to make sure the lines to add in the next step do not already exist 4) Go to the props section of the objects.C file. Create the following two lines: :http_max_header_length (x) :http_max_url_length (x) Replace 'x' with the desired value (see next paragraph regarding the suggested value for "x") 5) save the file 6) restart the firewall 7) in the firewall management utility, reapply the firewall security policy We recommend that each customer should contact Checkpoint directly before making any changes to their firewall. However a setting of 4096 would be the largest setting supported by most web servers and Checkpoint has told us that adding these two lines to increase the buffer space will not affect the security or performance of their firewall in any way. An email from a CheckPoint Support Engineer in the CheckPoint Support Center in Dallas included the following: "There are no security or performance implications to making this change and I believe the the minimum Firewall-1 version that will allow this change would be 4.0 as that is the least build that we offer support for." There is further documentation on this two year old "bug" at http://www.phoneboy.com/fw1. Search Phoneboys Firewall-1 FAQ for "HTTP Security Server and Long URLs". This documentation incorrectly states however that the default setting is 2048. Netegrity, who sells and supports Checkpoint Firewall-1, referred us to this link and confirmed with Checkpoint that the default setting is in fact 1024 bytes. Netegrity has reproduced our problem in their lab. After applying the fix above they were then able to access our site. Several other companies have also successfully applied this fix. Please keep in mind that this fix will not just enable your company to access NCCI services. It will permit your users to successfully access any other Internet website that generates any headers that exceed 1024 bytes in length. Netegrity has stated to us that this it is not unusual these days to encounter such sites. It is with regret that NCCI asks you to make changes to your firewall. We would have preferred a solution on our end. We feel however that you will likely be interested in this fix since it deals with a "known problem" which is not limited to NCCI's website. We would appreciate feedback on how you feel about this fix and the results if implemented. Regards, Alan Dougherty NCCI eBusiness Office Mail Stop BM 1-12 750 Park of Commerce Drive Boca Raton, FL 33487-3696FAX ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|