Proxy 2.0 secure?

Gillian Steele gillian@spiceisle.com
Wed, 24 Jun 1998 19:21:42 -0400


Bill, please have a look at:

        http://www.data.com/lab_tests/ntfirewalls.html


>I have yet to see a _truely_ secure product from Microsoft.

I have yet to see a _truely_ secure product from ANY software company. Read
the information on the previous tests done on supposedly "secure" UNIX-based
firewalls.  I quote:

    "Past tests, including those of Unix products, turned up dozens of
flaws.."


>MSProxy2.0 is useful as an internal caching system, or a low-security
gateway to
>the internet for very small networks.


In your opinion.  The tests on the above-mentioned web site show otherwise.
In fact, MSP 2.0 excels at a number of operations, including NAT, for which
it turned out to be the fastest of the NT applications tested.


>MSProxy is based on IIS, in which many security vulnerabilities were
>found, such as issues of .cmd, .asp., ftp redirections, buffer
>overflows, long URLs, security not applied to files >8.3 characters,
>under stress scripts may run with system privs, etc.

The emphasis there is on "security vulnerabilities WERE found..".

All vulnerabilities thet you've referred to have been fixed (and they're
faults with IIS, not MSP 2.0, so I fail to see the connection). MSP 2.0 has
been out for at least 6 months - perhaps it's too soon to tell, but I have
yet to hear of ANY discovered vulnerabilities with this product.  Again,
have a look at the URL above.  I quote:

    "We bombarded seven top-selling NT firewalls with nearly
     300 forms of attackówithout finding any significant security
     loopholes."

MSP 2.0 was one of the products tested during the exercise.


>MSProxy uses the MS TCP stack, which has had many frailties to IP
>attacks such as LAND, Ping of death, ping of death-2, smurf, teardrop,
>teardrop-2, WinNuke, and other variants.


    (1) All fixed
    (2) MSP 2.0 was recommended to me by MS to secure my NT server
         AGAINST the attacks mentioned above, before MS released the
         hotfixes for them.



>WinSOCK is a major problem, as it exposes ports of internal systems to
>attacks from the outside.


See comment above.  See quote below:

    "Fortunately these firewalls' installation routines take steps to
     secure Windows NT, such as replacing the default adapter
     driver with a packet driver stripped of unnecessary services. "



>PPTP is used as the VPN of MSProxy,
>and it has many security issues such
>
>as;
>Easily broken MS-CHAP (challenge/response)
>MPPE does not encrypted all PPP packets
>Session key is derived from the users password, is not 40 or
>128-bit strength
>Same key is used in both directions of the stream cipher
>You can flip bits in the RC4 cipher stream to attack tunneled
>protocols


MS's PPTP implementation has been updated - see the MS site.  Note that
there has been NOT ONE reported instance of someone 'cracking' MS'
implementation of PPTP, either the old version or newer more secure version.


>Too many firewalls are reviewed and judged as if they were desktop user
>products instead of security products, then given points for
>feature-bloat rather than penalized for opening too many holes.  I place
>the blame directly on magazine reviewers and the managers who swear by
>them.

Personally, I'm willing to put my faith in those magazines that actually do
real-world testing, to back up their claims,   and the claims of Data
Communications about the "soundness" of  the NT-based Firewalls, including
MSP 2.0 seem sound enough to me.

Regads,
Brian Steele