When the latest update fails you

Recently we had a pretty weird experience with the Barracuda Web Filters we are using. We noticed that a site that should be blocked is accessible for some users. The domain was tr553.com.

Here is why we believed it’s being blocked. On the Barracuda, you can check the categorization of a URL via the Content Filter Lookup functionality. As you can see the given domain was categorized as “Advertisements & Popups”.

02

On the Content Filter page, you can define whether a particular category is allowed or blocked. The advertisements category was clearly blocked on all devices.

03

But still, we could access the https://tr553.com site thru the proxy. Some of you may think, you must have had the SSL inspection turned off and that’s an HTTPS URL. Actually you are right. For various reasons (that will be another story) we have SSL inspection turned off on the web filters and that’s an HTTPS URL indeed. However, the Barracuda web filters are smart enough to enforce the content filter policies (actually all domain based restrictions) on HTTPS URLs even if you don’t have SSL inspection. And yes, usually it works just fine. But let’s go back to our little problem here. There is a pretty cool feature on the Barracuda, you can use its troubleshooting feature to test whether a particular user and/or client IP can access a page or not. As we did so with https://tr553.com, we got the following result.

05

That’s a deny!!! What Da FrozenCow?? So Barracuda says, “Hey, no worries I’m gonna block this site”, but in reality it ain’t block shit.

We tried one more thing, we visited http://533.com and guess what?! It was blocked! So if we didn’t use HTTPS, but HTTP, everything was good. I know what you’re thinking… it’s the SSL inspection. No, it’s not. Because a) I know from experience that the content filter blocks work perfectly with HTTPS sites and b) read further 🙂

This was the time when we started to test this on other devices – luckily we have a handful of Barracuda proxies :). There came the second surprise. On a different device (same settings), the request was blocked as it should have been.

06

We double checked everything, the two devices were identical in terms of configuration. My next idea was to remove the device from the rack and either burn it or sell it on eBay, then we realized the difference. We used the latest shinny firmware (version 12.whatever) on the first device, while we were still on v11 on the second device. Yes, the old firmware did its job perfectly, while the new one had a major bug.

Honestly I don’t understand this. Content filtering is a core (and basic) feature of a proxy server. How is it possible that a firmware is being released when it has a flaw in this core functionality. The only possible explanation is that these updates are tested properly. My problem is that we are talking about security products here!! In this example it was a advertisement site, so one could say “who cares?”, but the same functionality is used to block malicious sites or we have custom blacklists with plenty of domains.

What frustrates me is that the more I work on the defensive side, the more often I see things like this. It’s so disappointing.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s