Firewall Wizards mailing list archives
RE: Proxy 2.0 secure?
From: "Stout, Bill" <StoutB () pios com>
Date: Thu, 18 Jun 1998 16:48:13 -0400
I have yet to see a _truely_ secure product from Microsoft. MSProxy2.0 is useful as an internal caching system, or a low-security gateway to the internet for very small networks. MSProxy is based on IIS, in which many security vulnerabilities were found, such as issues of .cmd, .asp., ftp redirections, buffer overflows, long URLs, security not applied to files >8.3 characters, under stress scripts may run with system privs, etc. MSProxy uses the MS TCP stack, which has had many frailties to IP attacks such as LAND, Ping of death, ping of death-2, smurf, teardrop, teardrop-2, WinNuke, and other variants. WinSOCK is a major problem, as it exposes ports of internal systems to attacks from the outside. MSProxy 1.0 was never a firewall. MSProxy 2.0 is a completely new product, and essentially is v1.0. For security/stability reasons it's wise to avoid v1.0 products at least until the patches come out (called service paks in politically correct lingo). MSProxy 1.0 has a multitude of security issues that 2.0 fixes though. I would submit there is a precedence of insecurity with the product, and wait for a good amount of experience to be built up before placing trust in it. In 1986 I created the NTexploit list, much of the exploits new and shocking at the time, but not much research was needed to create it. It was a jumping point for many new NT security discoveries, and I noted quite an increase in discoveries of security flaws/fixes since then. A fanatically updated version of it is at http:/www.ntsecurity.net/ . The point is that even when NTsecurity folk think that an installation is pretty well secured, some new thing is discovered which again shakes their confidence in the security of NT, until the next quiet period. Recently mnemonix discovered that various applications can be renamed to \winnt\system32\logon.scr (the logon screen saver) which run either with file owner privs or 'system' privs. Applications such as usermanager can be used to add a user to local admin groups and then domain admin groups. That's an example of so simple a thing that should've been discovered long ago. (Research on the behaviour still being conducted). PPTP is used as the VPN of MSProxy, and it has many security issues such as; Easily broken MS-CHAP (challenge/response) MPPE does not encrypted all PPP packets Session key is derived from the users password, is not 40 or 128-bit strength Same key is used in both directions of the stream cipher You can flip bits in the RC4 cipher stream to attack tunneled protocols See: http://www.counterpane.com/pptp.html or postings by Aleph One in NTBugtraq. PPTP is going away in NT5.0 anyway. Too many firewalls are reviewed and judged as if they were desktop user products instead of security products, then given points for feature-bloat rather than penalized for opening too many holes. I place the blame directly on magazine reviewers and the managers who swear by them. Bill Stout
----- Original Message ----- From: Gillian Steele [SMTP:gillian () spiceisle com] Reply To: Gillian Steele [SMTP:gillian () spiceisle com] Sent: Wednesday, June 17, 1998, 18:44:19 To: Stout, Bill Subject: Re: Proxy 2.0 secure? [To unsubscribe, send mail to majordomo () lists gnac net with "unsubscribe firewalls" in the body of the message.] -I can tell you that if you are using MSProxy2.0 as a firewall, which
is
alsoa domain member server, you are asking for exposure of your NT domain information, including users, groups, service accounts, etc.So, if you're really worried about this, use MSP 2.0 on its own NT box
and
set up a one-way trust relationship between the NT domain and the box running MSP 2.0 and you're sitting pretty. You can set up a
standalone box
to do this for less than $3,500 (less than $2,500 if you go with the
cheap
PC running NT server). I have heard of NO hackers getting past a properly configured MSP 2.0 server to access the internal LAN, whether MSP was running on its own box or otherwise. Have you? Recent tests have shown that MSP 2.0 is just as effective a firewall
as
other NT-based (and other firewalls). As it's cheaper too and
integrates
very well with a LAN based on the NT domain model, it was and remains
my
first choice for NT-based LANs for small to medium-sized offices.
It's
lack of reporting tools makes it difficult for me to recommend it for use
in
large installations. Right now I'm using it with a 164-node LAN. If you want the URL for those tests, please e-mail me (I have it
stored on
the PC in the office!). Regards, Brian ----- End Of Original Message -----
Current thread:
- RE: Proxy 2.0 secure? Stout, Bill (Jun 23)
- RE: Proxy 2.0 secure? Aleph One (Jun 24)
- <Possible follow-ups>
- RE: Proxy 2.0 secure? Grigorof, Adrian (Jun 24)
- Re: Proxy 2.0 secure? Gillian Steele (Jun 24)
- Re: Proxy 2.0 secure? tqbf (Jun 25)
- Re: Proxy 2.0 secure? Vanja Hrustic (Jun 25)
- Re: Proxy 2.0 secure? Kjell Wooding (Jun 25)
- Re: Proxy 2.0 secure? tqbf (Jun 26)
- Re: Proxy 2.0 secure? Ted Doty (Jun 25)
- Re: Proxy 2.0 secure? Mark Horn [ Net Ops ] (Jun 25)
- RE: Proxy 2.0 secure? Vanja Hrustic (Jun 25)