This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Please have one of the team that failed to protect vBulletin with the UTM's WAF explain why it doesn't work

We've been told that this was attempted, but that it failed.  What do I need to do to protect my clients? Should I tell them to stop trusting the UTM's reverse proxy to protect their servers?

Certainly, a professional team would have documented their work, if only to prove to their superiors that they weren't malingerers.  We, as customers and partners, need to understand what, specifically, was attempted and what, specifically, failed to remove the risk.

It's really that simple - either the UTM should have been deployed to protect our community using vBulletin on astaro.org or the WAF is not effective.

Which is it?

Cheers - Bob



This thread was automatically locked due to age.
Parents
  • Talking to our IT Security team as I understand it, it wasn't a problem with the UTM's WAF feature not protecting against the latest vulnerability. Had they tried that it would, and I'll play safe here, most likely been very effective in protecting the site.

    It wasn't a single vulnerability that they were looking to protect against. Since the site has not been updated since very early 2011 they looked at the site as a whole and what is best for the site, its content, and you the user. As they knew - and it's no secret as I was posting it to Astaro.org - we had the intention of migrating the boards to this community the conclusion was not to update/patch/implement new protection features for this particular vulnerability, but instead to lock down the site.

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Protecting a bulletin board where directories are dynamically created would probably have been tough to protect using WAF. Not because it can't be done, I think the overhead in fine tuning would have been tremendous. If you look at the actual video concept of the attack, writing to directories can indeed be protected using WAF but at a cost of some functionality.

    I think nuking the forum was probably the best call short of moving it to a newer version of some other system like phpbb etc. Since sophos had already decided to move the content to this site, more licensing fees etc probably didn't make sense to run a sub forum that looked different than their community website.

    In any case, its water under the bridge. Nobody that made the decision to kill astaro.org is posting to these boards and I don't want to make into a punching bag since he is about the only one willing to engage with the community.

    P.S. Trying a positive outlook today. Lets see how long it lasts ;)
  • Thanks for your insight into why this was probably for the best, Bill, and you're right, Ruckus is a good guy.

    But your comments also lead me to believe that WAF would have been a good solution if all posting and editing had been disabled - possibly using the same methods as the locked forums. That, at least, would have kept the old system online for easier consultation and searching.

    I'm certain that the person that pulled the plug had no idea of the damage that would be done. I'm equally certain that whoever it was did not consult Ruckus or any of his managers up several levels. Until someone comes forward with a credible mea culpa, it will be hard for many of us to suspend disbelief in what we're told.

    Cheers - Bob
    PS At any minute, I, along with six other members of the original User BB, will have access to test the astaro.org content ported to this new Community. It was supposed to have been available for over nine hours already, but I'm hopeful that we'll have the resource back this week.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Thanks for your insight into why this was probably for the best, Bill, and you're right, Ruckus is a good guy.

    But your comments also lead me to believe that WAF would have been a good solution if all posting and editing had been disabled - possibly using the same methods as the locked forums. That, at least, would have kept the old system online for easier consultation and searching.

    I'm certain that the person that pulled the plug had no idea of the damage that would be done. I'm equally certain that whoever it was did not consult Ruckus or any of his managers up several levels. Until someone comes forward with a credible mea culpa, it will be hard for many of us to suspend disbelief in what we're told.

    Cheers - Bob
    PS At any minute, I, along with six other members of the original User BB, will have access to test the astaro.org content ported to this new Community. It was supposed to have been available for over nine hours already, but I'm hopeful that we'll have the resource back this week.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • I like your style Bob. You sir are a gentleman [;)] You know better than most of us the capabilities of WAF, yet your humble postings speak volumes about the kind of person you are [:D]

    Bottom line, someone hosed the database on astaro.org. It took them almost a month to get it to read only status. Thats the functionality that is built in the vbulletin software. I can just imagine if they had to deploy WAF. You are also correct that deploying WAF on static directories is very easy, therefore I will let you fill in the blanks.

    Regarding access to original astaro.org content, I noticed that our post counts went up all of a sudden but didn't see anything from any of the sophos people. Hope they get it sorted correctly.

    Regards
    Bill

  • For those that are interested, some of us mods are looking at the imported Astaro.org forums now, and things look good so far. Should see these publicly soon I think.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.