WebDAV is an extension to the HTTP protocol described in the RFC 2518. There are vulnerabilities in Windows applications that could be exploited over WebDAV. Therefore, blocking outbound WebDAV traffic is a best practice technique.
It is possible to use the Modular Policy Framework feature of the ASA/PIX to inspect HTTP traffic and block MS WebDAV methods. Nevertheless other applications may be making use of those methods, so you shouldn't implement this policy whether you are not sure about the upshot.
Below is an example of the policy needed to block WebDAV outbound traffic, using the default global policy:
regex x-ms-enumatts "X-MS-ENUMATTS"
class-map type inspect http match-any blocked_http_methods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method copy
match request method delete
match request method lock
match request method mkcol
match request method move
match request method notify
match request method poll
match request method propfind
match request method proppatch
match request method search
match request method subscribe
match request method unlock
match request method unsubscribe
match request method regex x-ms-enumatts
!
policy-map type inspect http http_policy
class blocked_http_methods
drop-connection log
!
policy-map global_policy
class inspection_default
inspect http http_policy
!
This policy would match any HTTP packet containing one of those methods and block them. Traffic containing other methods would be silently allowed.
asa(config)# end
asa# wr mem
A big thank you for this detailed post. I used this to implement a similar policy in a Citrix Netscaler's web application firewall.
ReplyDeleteRusty Nejdl
@Rusty Nejdl
ReplyDeleteThanks Rusty
i love reading this article so beautiful!!great job!
ReplyDeleteSecurity Systems