Default RDNS Policy Behavior in ProxySG and Advanced Secure Gateway (ASG)

book

Article ID: 169306

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

In SGOS 6.5.9.10 and later, and in SGOS 6.6.5.1 and later, RDNS lookups are disabled by default.
In prior releases, RDNS lookups were enabled by default.

Cause

To prevent potential misuse of RDNS by malicious third parties, the ProxySG policy engine disables RDNS lookups by default
as of SGOS 6.5.9.10 and later, and as of SGOS 6.6.5.1 and later.

Refer to this Security Advisory for more information:  SA130 : Security Control Bypass Vulnerability in ProxySG, ASG, and CacheFlow

The following new CLI command supports this change: # (config) policy restrict- rdns { all | none } where all is the default setting.
 
The change in default behavior affects the following policy gestures if they attempt to trigger an RDNS lookup when the host is specified as an IP address:
  • client.host=
  • client.host.has_name=
  • request.header.Referer.url.category= (affects policy categories and local database lookups)
  • server_url.domain= (affects policy categories and local database lookups)
  • url= 
  • url.category= (affects policy categories and local database lookups)  
  • url.domain=
  • url.host= 


If a policy trace is performed, base on IP, there is an alert stating RDNS restriction has been enabled:

client.host: <unset> (rdns resolution: lookup restricted by policy) 

Resolution

To change the default behavior In SGOS 6.5.9.10 and later, and in SGOS 6.6.5.1 and later, to restore RDNS lookups, perform one the following:

 

1) To re-enable RDNS lookups globally, from the CLI of the proxy:

#(config) policy restrict-rdns none

2) To Restrict RDNS globally except for a specified list, through the VPM do the following:

In VPM > Configuration link from Top Tool Bar > Set Reverse DNS lookup Restrictions > The Top box MUST be set to ALL Restrictions (to keep restricting RDNS lookups) > Then set the Bottom Box to the Listed Subnets, adding the subnets to do RDNS on (Making the restriction Exception)


3) To Restrict RDNS globally except for a specified list, using CPL add the following policy to the local CPL file:

restrict rdns
all
except
<list of IP addresses or subnets>
end

When installing policy the policy above you will see the warning:

Warning: Restriction has no effect - restrictions missing or overridden: 'rdns'
 
This warning means that either the CPL did not contain the "all" in the language to keep restriction all or the VPM configuration top box was not set to "all" to keep the RDNS restriction set to "all".
It also means that RDNS is no longer restricted and the ProxySG will be doing RDNS for all hosts.

Even though the global behavior of the ProxySG is to restrict all RDNS, when making exceptions in policy, it is required to manually set policy to restrict all, since changing the RDNS in policy overrides all Global RDNS decisions.

 

 
 

Attachments