Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Improvements Tighten Lucent's Security Management Server: Page 2 of 4

The advanced options, applied per rule in a security zone, let you tailor the level of inspection to your needs.

Itested the new features by placing a laptop running Wild Packets' EtherPeek NX protocol analyzer on a shared segment next to the Web servers and inspecting the TCP packets off the wire. I also used EtherPeek NX on the client side to capture and inject modified TCP packets into the stream. LSMS 7.0 passed the tests the earlier version had failed in the aforementioned firewall review. I also confirmed that LSMS 7.0 modified TCP initial-sequence numbers on the fly by comparing packets' ISNs on either side of the firewall with EtherPeek NX.

Although still rudimentary, the HTTP application filters set limits on the length of a URL--4,096 characters by default--performs pattern matching on URL strings and blocks directory traversal beyond the directory root via "../.."-style strings. Unfortunately the application filter doesn't check HTTP syntax. I tested the URL length matching by using eEye Digital Security's IISHack buffer overflow exploit against a protected Web server. The Brick successfully caught the long URL and killed the connection by sending TCP resets to both the client and the host. I also tested directory traversal, which on older or misconfigured Web servers lets attackers break out of the Web root and access any file to which the Web server has access rights, using ASCII "../.." and the UniCode string "..%C0%AF..," both of which were blocked. Although my tests weren't exhaustive, many canned attacks scripts can be blocked.

Integration Support

Bandwidth management is available at the interface and rule levels via traffic shaping and QoS tagging using DiffServ (Differentiated Services) and ToS (Type of Service). Rule-level bandwidth management takes precedence over interface level. Aggregate bandwidth minimum/maximum bandwidth guarantees a limit on the amount of data passing through an interface or zone, and limits can be placed on the number of simultaneous sessions into and out of the zone as well. Packets can be tagged with new DiffServ/ ToS settings as they pass through the Brick. Packets that exceed the maximum bandwidth are queued up and can be tagged with different DiffServ/ToS bits.