Firewall Wizards mailing list archives
RE: Proxy 2.0 secure?
From: "Grigorof, Adrian" <AGrigoro () mobility com>
Date: Wed, 24 Jun 1998 11:50:10 -0400
I haven't heard so far about networks hacked due vulnerabilities in MS Proxy... but God, how many have been hacked due badly configured "real" firewalls! I would like to hear about an attack through MS Proxy but I am afraid I may not live enough... Disable all the services on the external interface and show me how can one rename files, use User Manager and so on - this is really ridiculous! MS TCP/IP stack as well as 99% of the TCP/IP stacks are vulnerable to Denial of Service attacks - nothing new under the Sun. I also constantly check www.ntsecurity.net - NOTHING that would help someone attacking from the Internet a network secured with MS Proxy. Can anyone remember when did CERT send any "warnings" about MS Proxy? WinSock major problem etc.. - can you give more details? Also what has MS PPTP to do with MS Proxy? I agree to hammer MS when they screw up, they may be M$ (as oppossed to the other guys that are in the business just for the pleasure) but hey, be objective, it helps! Anyway, speaking of $ how much is Proxy and how much is let's say Eagle Firewall? I can tell you: MS Proxy ~ 1,000$, Eagle ~ 15,000$. Adrian Grigorof
-----Original Message----- From: Stout, Bill [SMTP:StoutB () pios com] Sent: Thursday, June 18, 1998 4:48 PM To: Firewall-wizards Subject: RE: Proxy 2.0 secure? I have yet to see a _truely_ secure product from Microsoft. MSProxy2.0 is useful as an internal caching system, or a low-security gateway to the internet for very small networks. MSProxy is based on IIS, in which many security vulnerabilities were found, such as issues of .cmd, .asp., ftp redirections, buffer overflows, long URLs, security not applied to files >8.3 characters, under stress scripts may run with system privs, etc. MSProxy uses the MS TCP stack, which has had many frailties to IP attacks such as LAND, Ping of death, ping of death-2, smurf, teardrop, teardrop-2, WinNuke, and other variants. WinSOCK is a major problem, as it exposes ports of internal systems to attacks from the outside. MSProxy 1.0 was never a firewall. MSProxy 2.0 is a completely new product, and essentially is v1.0. For security/stability reasons it's wise to avoid v1.0 products at least until the patches come out (called service paks in politically correct lingo). MSProxy 1.0 has a multitude of security issues that 2.0 fixes though. I would submit there is a precedence of insecurity with the product, and wait for a good amount of experience to be built up before placing trust in it. In 1986 I created the NTexploit list, much of the exploits new and shocking at the time, but not much research was needed to create it. It was a jumping point for many new NT security discoveries, and I noted quite an increase in discoveries of security flaws/fixes since then. A fanatically updated version of it is at http:/www.ntsecurity.net/ . The point is that even when NTsecurity folk think that an installation is pretty well secured, some new thing is discovered which again shakes their confidence in the security of NT, until the next quiet period. Recently mnemonix discovered that various applications can be renamed to \winnt\system32\logon.scr (the logon screen saver) which run either with file owner privs or 'system' privs. Applications such as usermanager can be used to add a user to local admin groups and then domain admin groups. That's an example of so simple a thing that should've been discovered long ago. (Research on the behaviour still being conducted). PPTP is used as the VPN of MSProxy, and it has many security issues such as; Easily broken MS-CHAP (challenge/response) MPPE does not encrypted all PPP packets Session key is derived from the users password, is not 40 or 128-bit strength Same key is used in both directions of the stream cipher You can flip bits in the RC4 cipher stream to attack tunneled protocols See: http://www.counterpane.com/pptp.html or postings by Aleph One in NTBugtraq. PPTP is going away in NT5.0 anyway. Too many firewalls are reviewed and judged as if they were desktop user products instead of security products, then given points for feature-bloat rather than penalized for opening too many holes. I place the blame directly on magazine reviewers and the managers who swear by them. Bill Stout----- Original Message ----- From: Gillian Steele [SMTP:gillian () spiceisle com] Reply To: Gillian Steele [SMTP:gillian () spiceisle com] Sent: Wednesday, June 17, 1998, 18:44:19 To: Stout, Bill Subject: Re: Proxy 2.0 secure? [To unsubscribe, send mail to majordomo () lists gnac net with "unsubscribe firewalls" in the body of the message.] -I can tell you that if you are using MSProxy2.0 as a firewall,which isalsoa domain member server, you are asking for exposure of your NTdomaininformation, including users, groups, service accounts, etc.So, if you're really worried about this, use MSP 2.0 on its own NTbox andset up a one-way trust relationship between the NT domain and theboxrunning MSP 2.0 and you're sitting pretty. You can set up astandalone boxto do this for less than $3,500 (less than $2,500 if you go with thecheapPC running NT server). I have heard of NO hackers getting past a properly configured MSP2.0server to access the internal LAN, whether MSP was running on its own boxorotherwise. Have you? Recent tests have shown that MSP 2.0 is just as effective a firewallasother NT-based (and other firewalls). As it's cheaper too andintegratesvery well with a LAN based on the NT domain model, it was andremains myfirst choice for NT-based LANs for small to medium-sized offices.It'slack of reporting tools makes it difficult for me to recommend it for useinlarge installations. Right now I'm using it with a 164-node LAN. If you want the URL for those tests, please e-mail me (I have itstored onthe PC in the office!). Regards, Brian ----- End Of Original Message -----
Current thread:
- RE: Proxy 2.0 secure? Stout, Bill (Jun 23)
- RE: Proxy 2.0 secure? Aleph One (Jun 24)
- <Possible follow-ups>
- RE: Proxy 2.0 secure? Grigorof, Adrian (Jun 24)
- Re: Proxy 2.0 secure? Gillian Steele (Jun 24)
- Re: Proxy 2.0 secure? tqbf (Jun 25)
- Re: Proxy 2.0 secure? Vanja Hrustic (Jun 25)
- Re: Proxy 2.0 secure? Kjell Wooding (Jun 25)
- Re: Proxy 2.0 secure? tqbf (Jun 26)
- Re: Proxy 2.0 secure? Ted Doty (Jun 25)
- Re: Proxy 2.0 secure? Mark Horn [ Net Ops ] (Jun 25)
- RE: Proxy 2.0 secure? Vanja Hrustic (Jun 25)
- RE: Proxy 2.0 secure? ark (Jun 25)
- RE: Proxy 2.0 secure? Stout, Bill (Jun 25)