Firewall Wizards mailing list archives
Re: Proxy 2.0 secure?
From: "Gillian Steele" <gillian () spiceisle com>
Date: Wed, 24 Jun 1998 19:21:42 -0400
Bill, please have a look at: http://www.data.com/lab_tests/ntfirewalls.html
I have yet to see a _truely_ secure product from Microsoft.
I have yet to see a _truely_ secure product from ANY software company. Read the information on the previous tests done on supposedly "secure" UNIX-based firewalls. I quote: "Past tests, including those of Unix products, turned up dozens of flaws.."
MSProxy2.0 is useful as an internal caching system, or a low-security
gateway to
the internet for very small networks.
In your opinion. The tests on the above-mentioned web site show otherwise. In fact, MSP 2.0 excels at a number of operations, including NAT, for which it turned out to be the fastest of the NT applications tested.
MSProxy is based on IIS, in which many security vulnerabilities were found, such as issues of .cmd, .asp., ftp redirections, buffer overflows, long URLs, security not applied to files >8.3 characters, under stress scripts may run with system privs, etc.
The emphasis there is on "security vulnerabilities WERE found..". All vulnerabilities thet you've referred to have been fixed (and they're faults with IIS, not MSP 2.0, so I fail to see the connection). MSP 2.0 has been out for at least 6 months - perhaps it's too soon to tell, but I have yet to hear of ANY discovered vulnerabilities with this product. Again, have a look at the URL above. I quote: "We bombarded seven top-selling NT firewalls with nearly 300 forms of attackwithout finding any significant security loopholes." MSP 2.0 was one of the products tested during the exercise.
MSProxy uses the MS TCP stack, which has had many frailties to IP attacks such as LAND, Ping of death, ping of death-2, smurf, teardrop, teardrop-2, WinNuke, and other variants.
(1) All fixed (2) MSP 2.0 was recommended to me by MS to secure my NT server AGAINST the attacks mentioned above, before MS released the hotfixes for them.
WinSOCK is a major problem, as it exposes ports of internal systems to attacks from the outside.
See comment above. See quote below: "Fortunately these firewalls' installation routines take steps to secure Windows NT, such as replacing the default adapter driver with a packet driver stripped of unnecessary services. "
PPTP is used as the VPN of MSProxy, and it has many security issues such as; Easily broken MS-CHAP (challenge/response) MPPE does not encrypted all PPP packets Session key is derived from the users password, is not 40 or 128-bit strength Same key is used in both directions of the stream cipher You can flip bits in the RC4 cipher stream to attack tunneled protocols
MS's PPTP implementation has been updated - see the MS site. Note that there has been NOT ONE reported instance of someone 'cracking' MS' implementation of PPTP, either the old version or newer more secure version.
Too many firewalls are reviewed and judged as if they were desktop user products instead of security products, then given points for feature-bloat rather than penalized for opening too many holes. I place the blame directly on magazine reviewers and the managers who swear by them.
Personally, I'm willing to put my faith in those magazines that actually do real-world testing, to back up their claims, and the claims of Data Communications about the "soundness" of the NT-based Firewalls, including MSP 2.0 seem sound enough to me. Regads, Brian Steele
Current thread:
- RE: Proxy 2.0 secure? Stout, Bill (Jun 23)
- RE: Proxy 2.0 secure? Aleph One (Jun 24)
- <Possible follow-ups>
- RE: Proxy 2.0 secure? Grigorof, Adrian (Jun 24)
- Re: Proxy 2.0 secure? Gillian Steele (Jun 24)
- Re: Proxy 2.0 secure? tqbf (Jun 25)
- Re: Proxy 2.0 secure? Vanja Hrustic (Jun 25)
- Re: Proxy 2.0 secure? Kjell Wooding (Jun 25)
- Re: Proxy 2.0 secure? tqbf (Jun 26)
- Re: Proxy 2.0 secure? Ted Doty (Jun 25)
- Re: Proxy 2.0 secure? Mark Horn [ Net Ops ] (Jun 25)
- RE: Proxy 2.0 secure? Vanja Hrustic (Jun 25)
- RE: Proxy 2.0 secure? ark (Jun 25)
- RE: Proxy 2.0 secure? Stout, Bill (Jun 25)
- Re: Proxy 2.0 secure? Brian Steele (Jun 25)