Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] - slow page loads with nimda uri implemented

To: [email protected]
Subject: Re: [FW-1] - slow page loads with nimda uri implemented
From: Elisabeth Wonders <[email protected]>
Date: Thu, 28 Mar 2002 13:55:04 -0600
Comments: cc: [email protected]
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Yes, we had the same problem here about 6 months again, after I added the
rule for Nimda/Code Red.  In my case, the pages with forms were only
accessed by users on my internal network.  So I changed the source of my
Nimda/Code Red rule to be the negation of my internal network, and had my
internal network access the host on an entirely different rule.  Very
similar to what you have done.   Everything has worked fine since then.

I'd be interested in what others have done as well.




                      "King, Arron S." <[email protected]>
                      Sent by: Mailing list for                  To:       [email protected]
                      discussion of Firewall-1                   cc:
                      <[email protected]        Subject:  [FW-1]
                      kpoint.com>


                      03/28/2002 12:15 PM
                      Please respond to Mailing list for
                      discussion of Firewall-1






Hello,

We instituted a rule that blocks inbound Nimda/Code Red attacks based upon
a Checkpoint KB article on how to setup a URI for Nimda/Code Red.   (any
internal -> any external reject if http(nimda URI))

We are running Checkpoint 4.1 SP1 on a Nokia IP 440 (w/ a Win2k mgmt
station running 4.1 SP5)  We have 3mbps of Internet speed

However, after we instituted this rule, we began receiving several
complaints about specific sites being horribly slow (several minutes
between page loads).  I did some investigating, and found that if I turn
the rule off, the pages load very quickly.  Turn the rule back on, and they
take forever.  Every other site that I've seen (and used personally) works
fine.  Digging deeper, the pages in question seem to "POST" forms, some of
which are large.    I've been able to restore speed by putting a second
rule (in front of the NIMDA block, specific to the site in question) that
allows HTTP.  (I know this bypasses the Nimda check; but the sites I've
done this for are required for academics here, and I would much rather
limit my exposure to a few specific hosts (rather than get rid of the rule
entirely)

The URI we are using (as I read the Checkpoint KB article) is:
Conn Methods (Transparent, proxy)
URI Match Spec: Wildcards
Exception Track: None
Match: http GET -
Path - {*cmd.exe,*root.exe,*admin.dll,*readme.exe,*default.ida}

Anyone else seen this?

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] CVP problem NG & Viruswall
Next by Date: [FW-1] Log Viewer Question
Previous by thread: Re: [FW-1] How do I block ports, services to mp3,real player, avi , etc..etc
Next by thread: [FW-1] Log Viewer Question
Index(es):
- Date
- Thread