IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
HTTP
This plugin allows preventing large families of HTTP-based application attacks. The various analyses that this plugin performs (in particular RFC compliance checks), validation of encoding in URLs or checks on URL size or requests, allow you to block attacks such as Code RED, Code Blue, NIMDA, HTR, WebDav, Buffer Overflow or even Directory Traversal…
Managing buffer overflows is fundamental at Stormshield Network, which is why defining the maximum sizes allowed for HTTP buffers is particularly detailed.
“IPS” tab
Automatically detect and inspect the protocol |
If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules. |
Search engine options
Enable search engine filter (Safesearch) |
This mechanism allows excluding websites, documents or images that are explicitly inappropriate or undesirable from the results of web searches conducted on the main search engines (Google, Bing, Yahoo) |
YouTube content restriction |
In this field, the type of restriction to be placed on results of video searches on the YouTube platform can be selected:
|
Google services and accounts allowed
|
This option allows restricting access to Google services and accounts by entering only authorized domains in this list. Enter the domain with which you have signed up to Google Apps, as well as any secondary domains you might have added to it. Users accessing Google services from an unauthorized account will be redirected to a Google block page.
The way this option works is the firewall intercepts SSL traffic toward Google and adds the HTTP header “X-GoogApps-Allowed-Domains” to it, the value of which is the list of authorized domain names, separated by commas. For more information, please refer to the following link: FR https://support.google.com/a/answer/1668854?hl=fr EN https://support.google.com/a/answer/1668854?hl=en NOTE SSL inspection has to be enabled in the filter policy for this feature to work. |
HTML/JavaScript analyses
Inspect HTML code |
Any page containing HTML content that is likely to be malicious will be blocked. |
Max. length for a HTML attribute (Bytes) |
Maximum number of bytes for an attribute of a HTML tag (Min : 128; Max: 65536). |
Inspect JavaScript code |
In order to prevent malicious content from damaging dynamic and interactive web pages that use JavaScript programming, a scan will be conducted in order to detect them.
In the same way as for the option Inspect HTML code, if this option is selected, a page containing JavaScript content that is likely to be malicious will be blocked. |
Automatically delete malicious content |
Instead of prohibiting the TCP connection, the scan will erase the malicious content (e.g. attribute, HTML marker) and allow the rest of the HTML page to pass through.
Example of malicious behavior: Redirection without your knowledge, to a website other than the site you had intended to visit. NOTE Selecting this checkbox will disable the Enable on-the-fly data decompression option. |
Enable on-the-fly data decompression |
When HTTP servers present compressed pages, enabling this option will allow decompressing data and inspecting it as and when it passes through the firewall. Since no data will be rewritten, this operation will not cause any additional delay. NOTE Selecting this checkbox will disable the Automatically delete malicious content option |
List of exceptions to the automatic deletion of malicious code (User-Agent)
This list displays the browsers and their data, which will not be automatically deleted by the earlier option mentioned above. It is possible to Add or Delete elements to or from this list by clicking on the relevant buttons.
Authentication
Verify user legitimacy |
If this option is selected, you will be enabling user authentication via the HTTP "Authorization" header. The HTTP plugin will therefore be capable of extracting the user and comparing it against the list of users authenticated on the firewall. When no authenticated users match, the packet will be blocked. |
Advanced properties
URL: maximum size of elements (in bytes)
Imposing a maximum size for elements (in bytes) allows countering buffer overflow attacks.
URL (domain+path) |
Maximum size of a URL, domain name and path inclusive [128 – 4096 bytes] |
Per parameter (after the '?' [argument]) |
Maximum size of a parameter in a URL [128 – 4096 (bytes)] |
Full query (URL + parameters) |
Maximum number of bytes for the full query: http://URLBuffer ?QueryBuffer [128 – 4096] (bytes)] |
URL
Max. nb of parameters (after '?') |
Maximum number of parameters in a URL (Min: 0 ; Max: 512). |
HTTP headers: maximum size of elements (in bytes)
Number of lines per client request |
Maximum number of lines (or headers) that a request can contain, from the client to the server (Min:16; Max: 512). |
Number of ranges per client request |
Maximum number of ranges that a response can contain, from the server to the client (Min: 0; Max: 1024). |
Number of lines per server response |
Maximum number of lines (or headers) that a response can contain, from the server to the client (Min: 16; Max: 512). |
Maximum size of HTTP headers (in bytes)
AUTHORIZATION field |
Maximum number of bytes for the AUTHORIZATION field, including formatting attributes. (Min: 128; Max: 4096). |
CONTENTTYPE field |
Maximum number of bytes for the CONTENTTYPE field, including formatting attributes. (Min: 128; Max: 4096). |
HOST field |
Maximum number of bytes for the HOST field, including formatting attributes. (Min: 128; Max: 4096). |
COOKIE field |
Maximum number of bytes for the COOKIE field, including formatting attributes. (Min: 128; Max: 8192). |
Other fields |
Maximum number of bytes for others field, including formatting attributes. (Min: 128; Max: 4096). |
HTTP session parameters (in seconds)
Maximum request duration |
Set to 30 seconds by default (Max: 600 seconds). |
HTTP protocol extensions
Allow Shoutcast support |
This option allows transporting sound over HTTP.
Examples: Webradio, webtv. |
Allow WebDAV connections (reading and writing) |
This option allows adding writing and locking features to HTTP, and also allows securing HTTPS connections more easily. |
Allowed HTTP commands
List of allowed HTTP commands (in CSV format). All commands included may not exceed 126 characters. It is possible to Add or Delete commands using the respective buttons.
Prohibited HTTP commands
List of prohibited HTTP commands (in CSV format). All commands included may not exceed 126 characters. It is possible to Add or Delete commands using the respective buttons.
Support
Disable intrusion prevention |
When this option is selected, the scan of the HTTP protocol will be disabled and traffic will be authorized if the filter policy allows it |
Log each HTTP request |
Enables or disables the logging of POP3 requests. |
“Proxy” tab
Connection
Keep original source IP address |
When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request.
If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used. |
URL Filtering ( Extended Web Control base only)
Action when classification of URL failed |
The choice is either Pass or Block.If a URL has not been listed in a URL category, this action will determine whether access to the site will be authorized. |
Allow IP addresses in URLs |
An option allows authorizing or denying the use of IP addresses in the URL, meaning access to a website by its IP address instead of its domain name. Such a method may be an attempt to bypass URL filtering.
If the option has not been selected and the URL queried (containing an IP address) cannot be classified by the URL filtering system, its access will be blocked. However, this option has been designed to be applied after the evaluation of the filter.
As a result, internal servers that are contacted by their IP addresses will not be blocked if their access has been explicitly authorized in the filter policy (different from the pass all policy). Such access can be authorized via the firewall’s basic Network objects (RFC5735) or the “Private IP” group in the EWC URL database. |
NOTE
Regardless of whether the previous option has been selected, an IP address expressed differently from the format a.b.c.d will be systematically blocked.
HTTP protocol extensions
Allow WebDAV connections (reading and writing) |
WebDAV is a set of extensions to the HTTP protocol concerning the edition and collaborative management of documents. If this option has been selected, the WebDav protocol will be authorized in the Stormshield Network Firewall. |
Allow TCP tunnels (CONNECT method) |
The CONNECT method allows building secure tunnels through proxy servers.
If this option has been selected, the CONNECT method will be authorized in the Stormshield Network Firewall. |
TCP tunnels: List of allowed destination ports
In this zone, specify the types of service that can use the CONNECT method.
Destination port (service object) |
The Add button allows you to add services objects database.
To modify a service, select the line to be modified and make changes.
Use the Delete button to delete the selected service. |
Advanced properties
Protection quality
Check URL encoding |
By selecting this option, the filter policy cannot be bypassed. |
Traffic sent to the server
Add authenticated user to HTTP header |
If the external HTTP proxy requires user authentication, the administrator can select this option to send data regarding the user (collected by the firewall’s authentication module) to the external proxy. |
Explicit proxy
The explicit proxy allows referencing the firewall’s proxy in a browser and sending HTTP requests directly to it.
Enable "Proxy-Authorization" (HTTP 407) 'authentication |
The browser will prompt the user to authenticate through a message window and the connection information will be relayed to the firewall via the HTTP header. NOTE The "Proxy-Authorization" (HTTP 407) authentication method via the browser does not allow the SSL (certificates) and SPNEGO methods as they do not involve the authentication portal, even though it needs to be enabled.
For further information, refer to the help for the Authentication module, in the section “Transparent or explicit HTTP proxy and Multi-user networks” |
“ICAP” tab
HTTP response (reqmod)
The ICAP protocol targets mainly web and mail content. It provides HTTP proxies (for web) and SMTP relays (for mail) with an interface.
Send HTTP requests to the ICAP server |
Each client request to a website is sent to the ICAP server. |
ICAP Server
Server |
Indicates the ICAP server. |
ICAP Port |
Indicates the ICAP port. |
Name of ICAP service |
Indicates the name of the service to set up. This information varies according to the solution used, the ICAP server as well as the port used. |
Authentication on the ICAP server
Information available on the firewall can be used for performing ICAP services.
Example
It is possible to define in an ICAP server that a certain site is intended for a certain user. In this case, you will be able to filter according to an LDAP ID or an IP address.
Send the username/group name |
This option allows using information relating to the LDAP base (especially the logins of authenticated users). |
Send client’s IP address |
This option allows using IP addresses of HTTP clients who send requests to Adapter (object used for translating between the ICAP format and the requested format). |
Advanced properties
Whitelist (will not be sent to the ICAP server)
HTTP server (Host – Network – Address range) |
Adds hosts, networks or address ranges whose details will not be sent to the ICAP server. These items can be deleted from the list at any time. |
“Analyzing files” tab
Transferring files
Partial download |
When a download is incomplete, for example, due to a connection failure during a file download via HTTP, the user can continue to download from where the error occurred, instead of having to download the whole file again. This is called a partial download – the download does not correspond to a whole file.
The option Partial download allows defining the behavior of the firewall’s HTTP proxy towards this type of download.
|
File size limit [0-2147483647(KB)] |
When files downloaded off the internet via HTTP get too huge, they can deteriorate the internet bandwidth for quite a long stretch of time.
To avoid this situation, indicate the maximum size (in KB) that can be downloaded by HTTP. |
URLs excluded from the antivirus scan |
A URL category or category group can be excluded from the antivirus scan. By default, there is a URL group named antivirus_bypass in the object database containing Microsoft update sites. |
File filter (MIME type)
Status |
Indicates whether a file is active or inactive. 2 positions are available: “Enabled” or “Disabled”. |
Action |
Indicates the action to be taken for the file in question, out of 3 possibilities:
|
MIME type |
Indicates the file content type. This could be text, an image or a video, to be defined in this field.
Examples: “text/plain*” “text/*” “application/*” |
Maximum size for antivirus and sandboxing scan (KB) |
This field corresponds to the maximum size of files that will be scanned. The default size depends on the firewall model:
|
Actions on files
When a virus is detected |
This field contains 2 options. By selecting “Block”, the analyzed file will not be sent. By selecting “Pass”, the antivirus will send the file in its original form. |
When the antivirus scan fails |
This option defines the behavior of the antivirus module if the analysis of the file it is scanning fails.
Example: The file could not be scanned as it has been locked.
If Block has been specified, the file being scanned will not be sent. If Pass without scanning has been specified, the file being scanned will be sent. |
When data collection fails |
This option defines the behavior of the antivirus module when certain events occur. It is possible to Block traffic when information retrieval fails, or Pass without scanning. Example: If the hard disk has reached its capacity, information will not be downloaded. |
"Sandboxing" tab
Sandboxing
Status |
This column displays the status ( |
File types |
The sandboxing option allows scanning four types of files:
|
Max size of scanned files (KB) | This field allows defining the maximum size of files that need to be sandboxed. By default, this value is equal to the one in the Maximum size for antivirus and sandboxing scan (KB) field in the File analysis tab. This value cannot be exceeded. |
Actions on files
When known malware has been identified | This field contains 2 options. By selecting “Block”, the analyzed file will not be sent. By selecting “Pass”, the file will be sent in its original form. |
When sandboxing fails |
This option defines the behavior of the sandboxing option if the file scan fails.
If Block has been specified, the file being scanned will not be sent. If Pass without scanning has been specified, the file being scanned will be sent. |