RE: FW-1, HTTP access and strength of IIS security

["Thomas Crowe" <thomas.crowe () bellsouth net>]

Scott;

It obvious that your serious about protecting your site and the information
contained therein.  Locking down the access to that box to only allow port
443 is a great FIRST step.  Be very aware however that IIS does have a known
buffer overflow that can be easily exploited, I know it works on port 80, I
do not know if it has been tried on port 443, the overflow is contained in a
.dll that handles .htr files, I believe.  As long as your not supporting
.htr files (I think they are used for changing SAM stored passwords through
IIS) you should be safe from that exploit.  I would like to throw out a few
other things to consider.  Are ALL boxes behind the firewall locked down in
the same manner, i.e. your dns server, your mail server, etc... if one of
these machines are comprimised then an intruder has free access to your nt
machine and your firewall will never see it.  Is your firewall fully locked
down? If on unix is it only running the minimum daemons or on NT are ALL hot
fixes applied and service pack up to date?  Also are all services shutdown,
except what is REALLY needed.  Is your firewall configured as a member
server in a domain or by itself, I wouldn't EVER put a firewall in the
domain, coomprimising one system in the domain opens up ALL machines in the
domain.  Just thought that I would add my $0.02 hope it helps.

Thomas Crowe
Production Network Systems Administrator
BellSouth Online

> -----Original Message-----
> From: owner-firewall-wizards () lists nfr net
> [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Briercheck,
> Scott
> Sent: Sunday, September 05, 1999 4:29 PM
> To: 'firewall-wizards () nfr net'
> Subject: FW-1, HTTP access and strength of IIS security
>
>
> I'm hoping to get a little advice.  I'm setting up an IIS 4.0 website that
> has code to manage its own logins and user state (it doesn't just
> rely on NT
> directory security - you can have a "web" account on the site
> without having
> an NT account on the machine).  The "web" account IDs and passwords are
> stored in a SQL 7.0 database that will also be behind the firewall.
>
> In front of the web site I'm planning on putting FW-1 running on Solaris.
> The firewall will only allow SHTTP to the IIS web server on port 443.  I
> expect that it should look no different to the web user than before I put
> the firewall up.  Other than SHTTP, nothing else will be allowed through.
>
> My first question is this:  Is IIS + FW-1 sufficient security for
> sensitive
> information.  I've been told by various security consultants that
> it is, but
> I'm starting to have reservations.  I know that nothing can guarantee
> against a break-in, but is this a good choice - can I feel reasonably
> confident relying on the Firewall plus the IIS-supported login to be my
> primary mode of security (assuming MY code is good....is IIS 4.0 good
> enough)?  I worry about buffer overflow attacks, and other types of hacks,
> since I will be allowing SHTTP through the firewall and right to the
> website.  This means that I need to rely on IIS being robust enough.
>
> My second question is a followup to the first:  Can I enhance the security
> by having the users be forced to log into FW-1 at the firewall before
> granting access to the website?  The FW consultants and I
> discussed the idea
> of putting a RADIUS server (from Livingston software) into the security
> package.  The Radius server would authenticate users at the
> Firewall (using
> their login ID stored inside the SQL 7.0 database).  With this setup, not
> even SHTTP would be allowed past FW-1 unless the user first
> authenticates at
> the Firewall to gain a connection.
>
> The problem is that I'm being told this "firewall" login would have to be
> done in HTTP (plain text), and not SHTTP.  I had hoped to have a single
> login for the users, but I do not want them sending their
> password in plain
> text.  This means that I would need to add a one-time password scheme
> (secure-ID card ).  If they successfully log into the firewall, then they
> have a second login at the IIS login screen to actually access
> the website.
>
> The third questions is:  Has anyone implemented this type of "firewall"
> login using a Radius server (or something similar).  Is there
> something out
> there that supports HTTPS for the firewall login.  I would really
> rather not
> implement a secure ID card if I don't have to, as we will be dealing with
> many distributed users, so card management will be a pain.
>
> Thoughts or comments are appreciated.
>
> Thanks,
>
> Scott
>
> brierchecks () msx upmc edu