Proxy 2.0 secure? (about ms protocol stack)
Thu, 25 Jun 1998 10:52:51 -0700
normally, i'll try to keep my mouth shut, but...
ms tcp/ip stack is substantially less mature than, say, unix' (both bsd
& s5, i don't know what else is there to compare...). ms stack seems
particularly vulnerable to faulty ip fragments, and various malformed
packets. we tried various ways to tighten up the nt box - take out
most of the ms net services, disable all tcp/ip ports except for a few
that are used, and the machine still chokes (even when the malformed
packet/packet fragments are addressed to ports that are disabled).
this isn't a issue of how resilient the protocol stack is, but a issue
of whether it can handle any unusual (but very much possible and maybe
even probable) contigents, as it must - i.e. whether it is functioning
at all as it is supposed to.
i notice that similar problem afflicting linux boxes - not surprising,
since both have relatively newly written protocol stack, as compared to
bsd/s5 which had decades to sort out these little bugs. the
difference is that linux, with its open source, have these hacks looking
thru the source and point out the problems in public (as opposed to some
malicious hacks keeping the info for his own purposes), and often point
out fix/patch for the problem. with ms, you'll only find out if you
scour these hack sites, or if the problem comes and bite you. it'll
be nice if ms has a service (and i think it should be free, since we
paid for properly working software) to send out new patches ("hotfixes")
to their customers as soon as they become available (maybe there are.
if so, i'll be thankful if you send me the info on how to get the
service), but at any rate, their finding of bugs and their fixes will be
much slower compared to the open source packages that get reviewed by
milllions. (maybe, ms knows that its protocol stack doesn't stack up
(excuse the pun), so it's not in their interest to publicize in anyways
all the bugs that are not sorted out).
i hear ms is buying a reliable, time-tested protocol stack source from a
third party for their nt 5 release, which should make things bit better,
but until then, i wouldn't put any ms nt boxes exposed to the net if you
want them to stay up and be useful.
this whole babble applies, of course, if the ms proxy runs on nt, as i
assume it does. i haven't had any experience with ms proxy, to be
(here's pot-shot: why don't nt problems get reported by CERT?
because... nevermind, i pissed off enough people for lifetime's worth
From: Grigorof, Adrian
Sent: Wednesday, June 24, 1998 8:50 AM
Subject: RE: Proxy 2.0 secure?
I haven't heard so far about networks hacked due vulnerabilities
Proxy... but God, how many have been hacked due badly configured
firewalls! I would like to hear about an attack through MS Proxy
am afraid I may not live enough... Disable all the services on
external interface and show me how can one rename files, use
Manager and so on - this is really ridiculous!
MS TCP/IP stack as well as 99% of the TCP/IP stacks are
Denial of Service attacks - nothing new under the Sun.
I also constantly check www.ntsecurity.net - NOTHING that would
someone attacking from the Internet a network secured with MS
anyone remember when did CERT send any "warnings" about MS
WinSock major problem etc.. - can you give more details? Also
MS PPTP to do with MS Proxy?
I agree to hammer MS when they screw up, they may be M$ (as
the other guys that are in the business just for the pleasure)
be objective, it helps! Anyway, speaking of $ how much is Proxy
much is let's say Eagle Firewall? I can tell you: MS Proxy ~
Eagle ~ 15,000$.
> -----Original Message-----
> From: Stout, Bill [SMTP:StoutB@pios.com]
> Sent: Thursday, June 18, 1998 4:48 PM
> To: Firewall-wizards
> Subject: RE: Proxy 2.0 secure?
> I have yet to see a _truely_ secure product from Microsoft.
> is useful as an internal caching system, or a low-security
> the internet for very small networks.
> MSProxy is based on IIS, in which many security
> found, such as issues of .cmd, .asp., ftp redirections, buffer
> overflows, long URLs, security not applied to files >8.3
> under stress scripts may run with system privs, etc.
> MSProxy uses the MS TCP stack, which has had many frailties to
> attacks such as LAND, Ping of death, ping of death-2, smurf,
> teardrop-2, WinNuke, and other variants.
> WinSOCK is a major problem, as it exposes ports of internal
> attacks from the outside.
> MSProxy 1.0 was never a firewall. MSProxy 2.0 is a completely
> product, and essentially is v1.0. For security/stability
> wise to avoid v1.0 products at least until the patches come
> service paks in politically correct lingo). MSProxy 1.0 has a
> of security issues that 2.0 fixes though. I would submit
there is a
> precedence of insecurity with the product, and wait for a good
> experience to be built up before placing trust in it.
> In 1986 I created the NTexploit list, much of the exploits new
> shocking at the time, but not much research was needed to
> was a jumping point for many new NT security discoveries, and
> quite an increase in discoveries of security flaws/fixes since
> fanatically updated version of it is at
> point is that even when NTsecurity folk think that an
> pretty well secured, some new thing is discovered which again
> their confidence in the security of NT, until the next quiet
> Recently mnemonix discovered that various applications can be
> \winnt\system32\logon.scr (the logon screen saver) which run
> file owner privs or 'system' privs. Applications such as
> can be used to add a user to local admin groups and then
> groups. That's an example of so simple a thing that should've
> discovered long ago. (Research on the behaviour still being
> PPTP is used as the VPN of MSProxy, and it has many security
> Easily broken MS-CHAP (challenge/response)
> MPPE does not encrypted all PPP packets
> Session key is derived from the users password, is not
> 128-bit strength
> Same key is used in both directions of the stream cipher
> You can flip bits in the RC4 cipher stream to attack
> See: http://www.counterpane.com/pptp.html or postings by Aleph
> NTBugtraq. PPTP is going away in NT5.0 anyway.
> Too many firewalls are reviewed and judged as if they were
> products instead of security products, then given points for
> feature-bloat rather than penalized for opening too many
> the blame directly on magazine reviewers and the managers who
> Bill Stout
> > ----- Original Message -----
> > From: Gillian Steele [SMTP:firstname.lastname@example.org]
> > Reply To: Gillian Steele [SMTP:email@example.com]
> > Sent: Wednesday, June 17, 1998, 18:44:19
> > To: Stout, Bill
> > Subject: Re: Proxy 2.0 secure?
> > [To unsubscribe, send mail to firstname.lastname@example.org with
> > "unsubscribe firewalls" in the body of the message.]
> > -
> > >I can tell you that if you are using MSProxy2.0 as a
> > also
> > >a domain member server, you are asking for exposure of your
> > >information, including users, groups, service accounts,
> > So, if you're really worried about this, use MSP 2.0 on its
> > set up a one-way trust relationship between the NT domain
> > running MSP 2.0 and you're sitting pretty. You can set up a
> standalone box
> > to do this for less than $3,500 (less than $2,500 if you go
> > PC running NT server).
> > I have heard of NO hackers getting past a properly
> > server
> > to access the internal LAN, whether MSP was running on its
> > otherwise. Have you?
> > Recent tests have shown that MSP 2.0 is just as effective a
> > other NT-based (and other firewalls). As it's cheaper too
> > very well with a LAN based on the NT domain model, it was
> > first choice for NT-based LANs for small to medium-sized
> > lack
> > of reporting tools makes it difficult for me to recommend it
> > large installations. Right now I'm using it with a 164-node
> > If you want the URL for those tests, please e-mail me (I
> stored on
> > the PC in the office!).
> > Regards,
> > Brian
> > ----- End Of Original Message -----