RE: Proxy 2.0 secure?

["Grigorof, Adrian" <AGrigoro () mobility com>]

I haven't heard so far about networks hacked due vulnerabilities in MS
Proxy... but God, how many have been hacked due badly configured "real"
firewalls! I would like to hear about an attack through MS Proxy but I
am afraid I may not live enough... Disable all the services on the
external interface and show me how can one rename files, use User
Manager and so on - this is really ridiculous! 
MS TCP/IP stack as well as 99% of the TCP/IP stacks are vulnerable to
Denial of Service attacks - nothing new under the Sun.
I also constantly check www.ntsecurity.net - NOTHING that would help
someone attacking from the Internet a network secured with MS Proxy. Can
anyone remember when did CERT send any "warnings" about MS Proxy? 
WinSock major problem etc..  - can you give more details? Also what has
MS PPTP to do with MS Proxy? 

I agree to hammer MS when they screw up, they may be M$ (as oppossed to
the other guys that are in the business just for the pleasure) but hey,
be objective, it helps! Anyway, speaking of $ how much is Proxy and how
much is let's say Eagle Firewall? I can tell you: MS Proxy ~ 1,000$,
Eagle ~ 15,000$. 

Adrian Grigorof


> -----Original Message-----
> From: Stout, Bill [SMTP:StoutB () pios com]
> Sent: Thursday, June 18, 1998 4:48 PM
> To:   Firewall-wizards
> Subject:      RE: Proxy 2.0 secure?
>
> I have yet to see a _truely_ secure product from Microsoft.
> MSProxy2.0
> is useful as an internal caching system, or a low-security gateway to
> the internet for very small networks.
>
> MSProxy is based on IIS, in which many security vulnerabilities were
> found, such as issues of .cmd, .asp., ftp redirections, buffer
> overflows, long URLs, security not applied to files >8.3 characters,
> under stress scripts may run with system privs, etc.
>
> MSProxy uses the MS TCP stack, which has had many frailties to IP
> attacks such as LAND, Ping of death, ping of death-2, smurf, teardrop,
> teardrop-2, WinNuke, and other variants.
>
> WinSOCK is a major problem, as it exposes ports of internal systems to
> attacks from the outside.
>
> MSProxy 1.0 was never a firewall.  MSProxy 2.0 is a completely new
> product, and essentially is v1.0.  For security/stability reasons it's
> wise to avoid v1.0 products at least until the patches come out
> (called
> service paks in politically correct lingo).  MSProxy 1.0 has a
> multitude
> of security issues that 2.0 fixes though.  I would submit there is a
> precedence of insecurity with the product, and wait for a good amount
> of
> experience to be built up before placing trust in it.
>
> In 1986 I created the NTexploit list, much of the exploits new and
> shocking at the time, but not much research was needed to create it.
> It
> was a jumping point for many new NT security discoveries, and I noted
> quite an increase in discoveries of security flaws/fixes since then.
> A
> fanatically updated version of it is at http:/www.ntsecurity.net/ .
> The
> point is that even when NTsecurity folk think that an installation is
> pretty well secured, some new thing is discovered which again shakes
> their confidence in the security of NT, until the next quiet period.
>
> Recently mnemonix discovered that various applications can be renamed
> to
> \winnt\system32\logon.scr (the logon screen saver) which run either
> with
> file owner privs or 'system' privs.  Applications such as usermanager
> can be used to add a user to local admin groups and then domain admin
> groups.  That's an example of so simple a thing that should've been
> discovered long ago.  (Research on the behaviour still being
> conducted).
>
> PPTP is used as the VPN of MSProxy, and it has many security issues
> such
> as;
>       Easily broken MS-CHAP (challenge/response)
>       MPPE does not encrypted all PPP packets
>       Session key is derived from the users password, is not 40 or
> 128-bit strength
>       Same key is used in both directions of the stream cipher
>       You can flip bits in the RC4 cipher stream to attack tunneled
> protocols
> See: http://www.counterpane.com/pptp.html or postings by Aleph One in
> NTBugtraq.  PPTP is going away in NT5.0 anyway.
>
> Too many firewalls are reviewed and judged as if they were desktop
> user
> products instead of security products, then given points for
> feature-bloat rather than penalized for opening too many holes.  I
> place
> the blame directly on magazine reviewers and the managers who swear by
> them.
>
> Bill Stout
>
> > ----- Original Message -----
> > From:       Gillian Steele [SMTP:gillian () spiceisle com]
> > Reply To:   Gillian Steele [SMTP:gillian () spiceisle com]
> > Sent:       Wednesday, June 17, 1998, 18:44:19
> > To: Stout, Bill
> > Subject:    Re: Proxy 2.0 secure?
> >
> > [To unsubscribe, send mail to majordomo () lists gnac net with
> > "unsubscribe firewalls" in the body of the message.]
> > -
> > > I can tell you that if you are using MSProxy2.0 as a firewall,
> which
> is
> > also
> > > a domain member server, you are asking for exposure of your NT
> domain
> > > information, including users, groups, service accounts, etc.
> >
> > So, if you're really worried about this, use MSP 2.0 on its own NT
> box
> and
> > set up a one-way trust relationship between the NT domain and the
> box
> > running MSP 2.0 and you're sitting pretty.  You can set up a
> standalone box
> > to do this for less than $3,500 (less than $2,500 if you go with the
> cheap
> > PC running NT server).
> >
> > I have heard of NO hackers getting past a properly configured MSP
> 2.0 
> > server
> > to access the internal LAN, whether MSP was running on its own box
> or
> > otherwise.  Have you?
> >
> > Recent tests have shown that MSP 2.0 is just as effective a firewall
> as
> > other NT-based (and other firewalls).  As it's cheaper too and
> integrates
> > very well with a LAN based on the NT domain model, it was and
> remains
> my
> > first choice for NT-based LANs for small to medium-sized offices.
> It's 
> > lack
> > of reporting tools makes it difficult for me to recommend it for use
> in
> > large installations.  Right now I'm using it with a 164-node LAN.
> >
> > If you want the URL for those tests, please e-mail me (I have it
> stored on
> > the PC in the office!).
> >
> > Regards,
> > Brian
> > ----- End Of Original Message -----