HTTP 1.1 and CVP disaster

[fwman]

Hello,

i've done an upgrade from R60 to R61. The customer uses CVP with eSafe to scan SMTP, HTTP and ftp.

Starting with R61 you get an error message "Compressed HTTP responses (containing a 'Content-Encoding:' header) are not allowed when using CVP or weeding" whenever http 1.1 is used and the server answers compressed. This is well documented in http://updates.checkpoint.com/filese...y_Security.pdf but i can't follow the suggestion to lift security for these connections.

I tried to fix the problem with http_force_down_to_10 = 1 but it has no effect. The client request still leaves the firewall with HTTP/1.1 as tcpdump shows.

I checked why we don't had this problem with R60 and found, that http_force_down_to_10 = 1 is not working on R60 (without and with HFA_03) and that 'Strip SCRIPT Tags' is NOT working (as described for R61) without any message on sites using compression.

Testing is easy. Create a resource with 'Strip SCRIPT Tags' and test it as a transparent proxy with www.google.de. Configure your IE 6 internet options to use HTTP/1.1 (note, you have to restart the IE after changing this setting, clear your IE cache!) With R61 you see an error message in the Tracker, with R60 the SCRIPT-Tag passes unmodified(!). To crosscheck you can switch to HTTP 1.0 and you will see the SCRIPT-Tag changed to <scrip!>.

Any suggestions beside configuring all clients to use http 1.0?
Why is http_force_down_to_10 not working (since which release)?

[Sergej]

eSafe support recommends to use In-line Bridge Mode (NitroInspection in the eSafe therms). According to support performance is up to 10 times better!
To convert eSafe to Bridge mode you need to reinstall the eSafe and regenerate the license (it is free if you are still under maintenance).

You can still configure LEAP to export logs from eSafe to CheckPoint.

P.S. I advise you to use eSafe Virtual Appliance (the SPLAT analogue). Always check if you have the latest Feature Pack CD image (you can get ISO download link from eSafe support)

[fwman]

Thank you for your information concerning speed.

Concering the compressed HTTP 1.1 responses i have doubts that this helps. I tested it with esafe in NI router mode and verified that SCRIPT tags are not stripped on compresseed content.

See http://kb.support.aks.com/AKS+Web/Tc...1?OpenDocument

Scanning compressed HTTP 1.1
Problem:
Do we scan compressed HTTP 1.1 with ESG NI ?
Here is some background info about it .

Solution:
No, currently we do not support this.

[Sergej]

Story fwman, did not get what is you initial question about.

I heard about HTTP compression, but now i read deeper and get the problematic. (http://www.websiteoptimization.com/s...weak/compress/)

From CheckPoint document you provided initially it is looks like it is possible to allow HTTP 1.1 but block/strip compression negotiation. This is controlled by

Quote:

The http_disable_content_enc and http_disable_content_type properties control whether
or not to allow data in the HTTP response to be compressed. If these properties are false
(the default value), compression of content in an HTTP response is not allowed. Both these
properties can be either true or false. One may be true when the other is false. Each one
affects it own header.

Did you try this?

P.S. I wonder if the current industry leader IPS/IPS can inspect Compressed HTTP 1.1?

[fwman]

Yes, i tried it and it has no effect which seems to be a general problem of the http security server in R61. http_allow_content_disposition is ignored, too. Even if it would had helped CheckPoint_R61_Firewall_SmartDefense_UserGuide.pdf says:

Quote:

However, content security checks such as HTML weeding and CVP
checking cannot be performed on compressed content.

This seems to be true as R60 does it exactly that way (without warning!) and i don't want that traffic by-passes ActiveX stripping or CVP checks only because the web server uses compression.

[fwman]

The problem has been fixed.
The solution is described in #sk17454

The important point is:
In NGX R61, 'Policy -> Global Properties -> SmartDashboard Customization -> Advanced Configuration -> Firewall-1 -> Websecurity -> HTTP_ACTIVATE_SS_PROTECTIONS' must be set before any modifications to the web security options will take effect.