ISA in SBS - yes, it's secure

A central location for SBS ISA specific configuration information relevant to small consulting practices and others smart enough to use the best technology in the world.

Lingo - The Talk of Broadband

Tuesday, March 07, 2006

Information on SP2

As you know, there has been a flurry of information on whether or not to install ISA 2004 SP2 and what happens afterwards.

Here's the situation, SP2 contains some new features which add to the security that ISA can provide to our networks. Therefore after you install SP2 you might come across a few websites that will error out. While it might look like it's SP2 causing the problem it's actually the website causing the problem by not following the rules.

There are two things that are causing headaches for those that rushed to install SP2, compression filtering and HTTP Request Smuggling. The new compression filter is "on" by default under SP2. If you access a website that attempts to place a compressed file on your box using anything other than gzip encoding, it will fail. Most, but not all websites use gzip encoding. If you need to use a website that doesn't you'll have to disable compression filtering. For an explanation of HTTP Request Smuggling protection, we turn now to our guru, Jim Harrison...

Disabling filters may not help with www.delta.com, www.sun.com or any
site that causes ISA 2004 SP2 to generate the following message:

Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)

The reason for the behavior youre seeing is that new logic that was added in ISA 2004 SP2 to mitigate HTTP request smuggling The process for this attack is a bit involved but the short story is that HRS depends on sending response headers that include both Content-length: and transfer-encoding: chunked.

A whitepaper on the subject is available here:
https://www.watchfire.com/securearea/whitepapers.aspx

RFC-2616 defines those two headers for the purpose of providing quantitative content validation for the receiver and states *very clearly* that the server MUST NOT combine them in the same response.

If the server is configured such that it does violate this edict, RFC-2616 then requires the receiving entity to ignore the content-length value and instead use the chunked-encoding technique to validate the length of the HTTP body.

This places a processing burden on the receiving entity (ISA, in this case), since a chunked-encoded transfer can't be quantitatively validated until the transfcompletedeted. In the case of a proxy, additional processing is imposed due to caching behavior that may be dependent on content-size.

The reason those sites are either failing outright (www.delta.com) or rendering poorly (www.sun.com) is because we chose to reject those responses out of hand. Since RFC-2616 clearly states don't combine those headers and doing so is a demonstrably malicious act, it seemed unlikely that ISA would cause problems for any other than malicious sites, and in fact, our testing validated this belief.

As it turns out, there are quite a few legitimate sites out there that violate this part of RFC-2616 and so we have had to rethink our answer to this problem.

PSS will have a public fix available shortly.
Jim


There's going to be a hotfix. Not because ISA did anything wrong but because there are enough sites out there causing pain for MS customers, that they are going to change things accommodate them.

I for one, am not disappointed by SP2. The security improvements are significant, I just wish we didn't have to dilute security to accommodate a few sites not playing by the rules. It's really the same thing we do for Java apps that won't authenticate or workstation apps that won't run as anything but local admin. It's a compromise and it's one we should be complaining about loudly. This time, not at Microsoft but at the legions of others not playing by the rules.

UPDATE: Click here for the hotfix.

7 Comments:

At 9:45 PM, Anonymous Javier Abreu said...

Has this update made available yet? Called PSS and they would not provide it.
Many customers with same problem with some bank sites as the one reported with delta.com.

Any feedback appreciated

 
At 8:30 AM, Blogger Amy - Harbor Computer Services said...

It is. PSS has it. Ask for the update to fix the Delta.com issue.

 
At 10:56 AM, Anonymous Anonymous said...

Where can I contact PSS at to get the update?

 
At 10:27 AM, Anonymous Anonymous said...

Can anyone post the downloaded software. Trying to get MS on the phone is a huge pain.

 
At 10:48 AM, Blogger Amy - Harbor Computer Services said...

No can do. As long as it's a hotfix it comes as a password protected time sensitive file.

Ordering a hotfix isn't very painful. Just call them up, give them the hotfix number, your email address and voila you've got it. 5 minutes tops.

 
At 4:06 PM, Anonymous Anonymous said...

No need to call. I logged into my SBS03 server and the hotfix was downloaded for me and ready to install. Now that is service.

 
At 6:42 PM, Blogger Amy - Harbor Computer Services said...

What good timing you have! The hotfix became an official update today. I'll create a new post to let everyone know.

 

Post a Comment

<< Home