RE: Proxy 2.0 secure?

["Stout, Bill" <StoutB () pios com>]

I have yet to see a _truely_ secure product from Microsoft.  MSProxy2.0
is useful as an internal caching system, or a low-security gateway to
the internet for very small networks.

MSProxy is based on IIS, in which many security vulnerabilities were
found, such as issues of .cmd, .asp., ftp redirections, buffer
overflows, long URLs, security not applied to files >8.3 characters,
under stress scripts may run with system privs, etc.

MSProxy uses the MS TCP stack, which has had many frailties to IP
attacks such as LAND, Ping of death, ping of death-2, smurf, teardrop,
teardrop-2, WinNuke, and other variants.

WinSOCK is a major problem, as it exposes ports of internal systems to
attacks from the outside.

MSProxy 1.0 was never a firewall.  MSProxy 2.0 is a completely new
product, and essentially is v1.0.  For security/stability reasons it's
wise to avoid v1.0 products at least until the patches come out (called
service paks in politically correct lingo).  MSProxy 1.0 has a multitude
of security issues that 2.0 fixes though.  I would submit there is a
precedence of insecurity with the product, and wait for a good amount of
experience to be built up before placing trust in it.

In 1986 I created the NTexploit list, much of the exploits new and
shocking at the time, but not much research was needed to create it.  It
was a jumping point for many new NT security discoveries, and I noted
quite an increase in discoveries of security flaws/fixes since then.  A
fanatically updated version of it is at http:/www.ntsecurity.net/ .  The
point is that even when NTsecurity folk think that an installation is
pretty well secured, some new thing is discovered which again shakes
their confidence in the security of NT, until the next quiet period.

Recently mnemonix discovered that various applications can be renamed to
\winnt\system32\logon.scr (the logon screen saver) which run either with
file owner privs or 'system' privs.  Applications such as usermanager
can be used to add a user to local admin groups and then domain admin
groups.  That's an example of so simple a thing that should've been
discovered long ago.  (Research on the behaviour still being conducted).

PPTP is used as the VPN of MSProxy, and it has many security issues such
as;
        Easily broken MS-CHAP (challenge/response)
        MPPE does not encrypted all PPP packets
        Session key is derived from the users password, is not 40 or
128-bit strength
        Same key is used in both directions of the stream cipher
        You can flip bits in the RC4 cipher stream to attack tunneled
protocols
See: http://www.counterpane.com/pptp.html or postings by Aleph One in
NTBugtraq.  PPTP is going away in NT5.0 anyway.

Too many firewalls are reviewed and judged as if they were desktop user
products instead of security products, then given points for
feature-bloat rather than penalized for opening too many holes.  I place
the blame directly on magazine reviewers and the managers who swear by
them.

Bill Stout

> ----- Original Message -----
> From: Gillian Steele [SMTP:gillian () spiceisle com]
> Reply To:     Gillian Steele [SMTP:gillian () spiceisle com]
> Sent: Wednesday, June 17, 1998, 18:44:19
> To:   Stout, Bill
> Subject:      Re: Proxy 2.0 secure?
>
> [To unsubscribe, send mail to majordomo () lists gnac net with
> "unsubscribe firewalls" in the body of the message.]
> -
> > I can tell you that if you are using MSProxy2.0 as a firewall, which
is
> also
> > a domain member server, you are asking for exposure of your NT domain
> > information, including users, groups, service accounts, etc.
>
> So, if you're really worried about this, use MSP 2.0 on its own NT box
and
> set up a one-way trust relationship between the NT domain and the box
> running MSP 2.0 and you're sitting pretty.  You can set up a
standalone box
> to do this for less than $3,500 (less than $2,500 if you go with the
cheap
> PC running NT server).
>
> I have heard of NO hackers getting past a properly configured MSP 2.0 
> server
> to access the internal LAN, whether MSP was running on its own box or
> otherwise.  Have you?
>
> Recent tests have shown that MSP 2.0 is just as effective a firewall
as
> other NT-based (and other firewalls).  As it's cheaper too and
integrates
> very well with a LAN based on the NT domain model, it was and remains
my
> first choice for NT-based LANs for small to medium-sized offices.
It's 
> lack
> of reporting tools makes it difficult for me to recommend it for use
in
> large installations.  Right now I'm using it with a 164-node LAN.
>
> If you want the URL for those tests, please e-mail me (I have it
stored on
> the PC in the office!).
>
> Regards,
> Brian
> ----- End Of Original Message -----