Firewall Wizards mailing list archives
RE: Proxy 2.0 secure? (about ms protocol stack)
From: "Choi, Byoung" <bchoi () visa com>
Date: Thu, 25 Jun 1998 10:52:51 -0700
normally, i'll try to keep my mouth shut, but... ms tcp/ip stack is substantially less mature than, say, unix' (both bsd & s5, i don't know what else is there to compare...). ms stack seems particularly vulnerable to faulty ip fragments, and various malformed packets. we tried various ways to tighten up the nt box - take out most of the ms net services, disable all tcp/ip ports except for a few that are used, and the machine still chokes (even when the malformed packet/packet fragments are addressed to ports that are disabled). this isn't a issue of how resilient the protocol stack is, but a issue of whether it can handle any unusual (but very much possible and maybe even probable) contigents, as it must - i.e. whether it is functioning at all as it is supposed to. i notice that similar problem afflicting linux boxes - not surprising, since both have relatively newly written protocol stack, as compared to bsd/s5 which had decades to sort out these little bugs. the difference is that linux, with its open source, have these hacks looking thru the source and point out the problems in public (as opposed to some malicious hacks keeping the info for his own purposes), and often point out fix/patch for the problem. with ms, you'll only find out if you scour these hack sites, or if the problem comes and bite you. it'll be nice if ms has a service (and i think it should be free, since we paid for properly working software) to send out new patches ("hotfixes") to their customers as soon as they become available (maybe there are. if so, i'll be thankful if you send me the info on how to get the service), but at any rate, their finding of bugs and their fixes will be much slower compared to the open source packages that get reviewed by milllions. (maybe, ms knows that its protocol stack doesn't stack up (excuse the pun), so it's not in their interest to publicize in anyways all the bugs that are not sorted out). i hear ms is buying a reliable, time-tested protocol stack source from a third party for their nt 5 release, which should make things bit better, but until then, i wouldn't put any ms nt boxes exposed to the net if you want them to stay up and be useful. this whole babble applies, of course, if the ms proxy runs on nt, as i assume it does. i haven't had any experience with ms proxy, to be honest... b- (here's pot-shot: why don't nt problems get reported by CERT? because... nevermind, i pissed off enough people for lifetime's worth already... ;-) ---------- From: Grigorof, Adrian Sent: Wednesday, June 24, 1998 8:50 AM To: Firewall-wizards Subject: RE: Proxy 2.0 secure? I haven't heard so far about networks hacked due vulnerabilities in MS Proxy... but God, how many have been hacked due badly configured "real" firewalls! I would like to hear about an attack through MS Proxy but I am afraid I may not live enough... Disable all the services on the external interface and show me how can one rename files, use User Manager and so on - this is really ridiculous! MS TCP/IP stack as well as 99% of the TCP/IP stacks are vulnerable to Denial of Service attacks - nothing new under the Sun. I also constantly check www.ntsecurity.net - NOTHING that would help someone attacking from the Internet a network secured with MS Proxy. Can anyone remember when did CERT send any "warnings" about MS Proxy? WinSock major problem etc.. - can you give more details? Also what has MS PPTP to do with MS Proxy? I agree to hammer MS when they screw up, they may be M$ (as oppossed to the other guys that are in the business just for the pleasure) but hey, be objective, it helps! Anyway, speaking of $ how much is Proxy and how much is let's say Eagle Firewall? I can tell you: MS Proxy ~ 1,000$, Eagle ~ 15,000$. Adrian Grigorof > -----Original Message----- > From: Stout, Bill [SMTP:StoutB () pios com] > Sent: Thursday, June 18, 1998 4:48 PM > To: Firewall-wizards > Subject: RE: Proxy 2.0 secure? > > I have yet to see a _truely_ secure product from Microsoft. > MSProxy2.0 > is useful as an internal caching system, or a low-security gateway to > the internet for very small networks. > > MSProxy is based on IIS, in which many security vulnerabilities were > found, such as issues of .cmd, .asp., ftp redirections, buffer > overflows, long URLs, security not applied to files >8.3 characters, > under stress scripts may run with system privs, etc. > > MSProxy uses the MS TCP stack, which has had many frailties to IP > attacks such as LAND, Ping of death, ping of death-2, smurf, teardrop, > teardrop-2, WinNuke, and other variants. > > WinSOCK is a major problem, as it exposes ports of internal systems to > attacks from the outside. > > MSProxy 1.0 was never a firewall. MSProxy 2.0 is a completely new > product, and essentially is v1.0. For security/stability reasons it's > wise to avoid v1.0 products at least until the patches come out > (called > service paks in politically correct lingo). MSProxy 1.0 has a > multitude > of security issues that 2.0 fixes though. I would submit there is a > precedence of insecurity with the product, and wait for a good amount > of > experience to be built up before placing trust in it. > > In 1986 I created the NTexploit list, much of the exploits new and > shocking at the time, but not much research was needed to create it. > It > was a jumping point for many new NT security discoveries, and I noted > quite an increase in discoveries of security flaws/fixes since then. > A > fanatically updated version of it is at http:/www.ntsecurity.net/ . > The > point is that even when NTsecurity folk think that an installation is > pretty well secured, some new thing is discovered which again shakes > their confidence in the security of NT, until the next quiet period. > > Recently mnemonix discovered that various applications can be renamed > to > \winnt\system32\logon.scr (the logon screen saver) which run either > with > file owner privs or 'system' privs. Applications such as usermanager > can be used to add a user to local admin groups and then domain admin > groups. That's an example of so simple a thing that should've been > discovered long ago. (Research on the behaviour still being > conducted). > > PPTP is used as the VPN of MSProxy, and it has many security issues > such > as; > Easily broken MS-CHAP (challenge/response) > MPPE does not encrypted all PPP packets > Session key is derived from the users password, is not 40 or > 128-bit strength > Same key is used in both directions of the stream cipher > You can flip bits in the RC4 cipher stream to attack tunneled > protocols > See: http://www.counterpane.com/pptp.html or postings by Aleph One in > NTBugtraq. PPTP is going away in NT5.0 anyway. > > Too many firewalls are reviewed and judged as if they were desktop > user > products instead of security products, then given points for > feature-bloat rather than penalized for opening too many holes. I > place > the blame directly on magazine reviewers and the managers who swear by > them. > > Bill Stout > > > ----- Original Message ----- > > From: Gillian Steele [SMTP:gillian () spiceisle com] > > Reply To: Gillian Steele [SMTP:gillian () spiceisle com] > > Sent: Wednesday, June 17, 1998, 18:44:19 > > To: Stout, Bill > > Subject: Re: Proxy 2.0 secure? > > > > [To unsubscribe, send mail to majordomo () lists gnac net with > > "unsubscribe firewalls" in the body of the message.] > > - > > >I can tell you that if you are using MSProxy2.0 as a firewall, > which > is > > also > > >a domain member server, you are asking for exposure of your NT > domain > > >information, including users, groups, service accounts, etc. > > > > So, if you're really worried about this, use MSP 2.0 on its own NT > box > and > > set up a one-way trust relationship between the NT domain and the > box > > running MSP 2.0 and you're sitting pretty. You can set up a > standalone box > > to do this for less than $3,500 (less than $2,500 if you go with the > cheap > > PC running NT server). > > > > I have heard of NO hackers getting past a properly configured MSP > 2.0 > > server > > to access the internal LAN, whether MSP was running on its own box > or > > otherwise. Have you? > > > > Recent tests have shown that MSP 2.0 is just as effective a firewall > as > > other NT-based (and other firewalls). As it's cheaper too and > integrates > > very well with a LAN based on the NT domain model, it was and > remains > my > > first choice for NT-based LANs for small to medium-sized offices. > It's > > lack > > of reporting tools makes it difficult for me to recommend it for use > in > > large installations. Right now I'm using it with a 164-node LAN. > > > > If you want the URL for those tests, please e-mail me (I have it > stored on > > the PC in the office!). > > > > Regards, > > Brian > > ----- End Of Original Message -----
Current thread:
- RE: Proxy 2.0 secure? (about ms protocol stack) Choi, Byoung (Jun 25)
- Re: Proxy 2.0 secure? (about ms protocol stack) tqbf (Jun 26)
- <Possible follow-ups>
- RE: Proxy 2.0 secure? (about ms protocol stack) Eric Arnold (Jun 26)
- RE: Proxy 2.0 secure? (about ms protocol stack) Choi, Byoung (Jun 26)