Proxy 2.0 secure? (about ms protocol stack)

Choi, Byoung bchoi@visa.com
Thu, 25 Jun 1998 10:52:51 -0700


normally, i'll try to keep my mouth shut, but...

ms tcp/ip stack is substantially less mature than, say, unix' (both bsd
& s5, i don't know what else is there to compare...).   ms stack seems
particularly vulnerable to faulty ip fragments, and various malformed
packets.   we tried various ways to tighten up the nt box - take out
most of the ms net services, disable all tcp/ip ports except for a few
that are used, and the machine still chokes (even when the malformed
packet/packet fragments are addressed to ports that are disabled).
this isn't a issue of how resilient the protocol stack is, but a issue
of whether it can handle any unusual (but very much possible and maybe
even probable) contigents, as it must - i.e. whether it is functioning
at all as it is supposed to.

i notice that similar problem afflicting linux boxes - not surprising,
since both have relatively newly written protocol stack, as compared to
bsd/s5 which had decades to sort out these little bugs.    the
difference is that linux, with its open source, have these hacks looking
thru the source and point out the problems in public (as opposed to some
malicious hacks keeping the info for his own purposes), and often point
out fix/patch for the problem.  with ms, you'll only find out if you
scour these hack sites, or if the problem comes and bite you.    it'll
be nice if ms has a service (and i think it should be free, since we
paid for properly working software) to send out new patches ("hotfixes")
to their customers as soon as they become available  (maybe there are.
if so, i'll be thankful if you send me the info on how to get the
service), but at any rate, their finding of bugs and their fixes will be
much slower compared to the open source packages that get reviewed by
milllions.  (maybe, ms knows that its protocol stack doesn't stack up
(excuse the pun), so it's not in their interest to publicize in anyways
all the bugs that are not sorted out).

i hear ms is buying a reliable, time-tested protocol stack source from a
third party for their nt 5 release, which should make things bit better,
but until then, i wouldn't put any ms nt boxes exposed to the net if you
want them to stay up and be useful.

this whole babble applies, of course, if the ms proxy runs on nt, as i
assume it does.  i haven't had any experience with ms proxy, to be
honest...

b-

(here's pot-shot:  why don't nt problems get reported by CERT?
because... nevermind, i pissed off enough people for lifetime's worth
already... ;-)

	----------
	From:  Grigorof, Adrian
	Sent:  Wednesday, June 24, 1998 8:50 AM
	To:  Firewall-wizards
	Subject:  RE: Proxy 2.0 secure?

	I haven't heard so far about networks hacked due vulnerabilities
in MS
	Proxy... but God, how many have been hacked due badly configured
"real"
	firewalls! I would like to hear about an attack through MS Proxy
but I
	am afraid I may not live enough... Disable all the services on
the
	external interface and show me how can one rename files, use
User
	Manager and so on - this is really ridiculous! 
	MS TCP/IP stack as well as 99% of the TCP/IP stacks are
vulnerable to
	Denial of Service attacks - nothing new under the Sun.
	I also constantly check www.ntsecurity.net - NOTHING that would
help
	someone attacking from the Internet a network secured with MS
Proxy. Can
	anyone remember when did CERT send any "warnings" about MS
Proxy? 
	WinSock major problem etc..  - can you give more details? Also
what has
	MS PPTP to do with MS Proxy? 

	I agree to hammer MS when they screw up, they may be M$ (as
oppossed to
	the other guys that are in the business just for the pleasure)
but hey,
	be objective, it helps! Anyway, speaking of $ how much is Proxy
and how
	much is let's say Eagle Firewall? I can tell you: MS Proxy ~
1,000$,
	Eagle ~ 15,000$. 

	Adrian Grigorof


	> -----Original Message-----
	> From:	Stout, Bill [SMTP:StoutB@pios.com]
	> Sent:	Thursday, June 18, 1998 4:48 PM
	> To:	Firewall-wizards
	> Subject:	RE: Proxy 2.0 secure?
	> 
	> I have yet to see a _truely_ secure product from Microsoft.
	> MSProxy2.0
	> is useful as an internal caching system, or a low-security
gateway to
	> the internet for very small networks.
	> 
	> MSProxy is based on IIS, in which many security
vulnerabilities were
	> found, such as issues of .cmd, .asp., ftp redirections, buffer
	> overflows, long URLs, security not applied to files >8.3
characters,
	> under stress scripts may run with system privs, etc.
	> 
	> MSProxy uses the MS TCP stack, which has had many frailties to
IP
	> attacks such as LAND, Ping of death, ping of death-2, smurf,
teardrop,
	> teardrop-2, WinNuke, and other variants.
	> 
	> WinSOCK is a major problem, as it exposes ports of internal
systems to
	> attacks from the outside.
	> 
	> MSProxy 1.0 was never a firewall.  MSProxy 2.0 is a completely
new
	> product, and essentially is v1.0.  For security/stability
reasons it's
	> wise to avoid v1.0 products at least until the patches come
out
	> (called
	> service paks in politically correct lingo).  MSProxy 1.0 has a
	> multitude
	> of security issues that 2.0 fixes though.  I would submit
there is a
	> precedence of insecurity with the product, and wait for a good
amount
	> of
	> experience to be built up before placing trust in it.
	> 
	> In 1986 I created the NTexploit list, much of the exploits new
and
	> shocking at the time, but not much research was needed to
create it.
	> It
	> was a jumping point for many new NT security discoveries, and
I noted
	> quite an increase in discoveries of security flaws/fixes since
then.
	> A
	> fanatically updated version of it is at
http:/www.ntsecurity.net/ .
	> The
	> point is that even when NTsecurity folk think that an
installation is
	> pretty well secured, some new thing is discovered which again
shakes
	> their confidence in the security of NT, until the next quiet
period.
	> 
	> Recently mnemonix discovered that various applications can be
renamed
	> to
	> \winnt\system32\logon.scr (the logon screen saver) which run
either
	> with
	> file owner privs or 'system' privs.  Applications such as
usermanager
	> can be used to add a user to local admin groups and then
domain admin
	> groups.  That's an example of so simple a thing that should've
been
	> discovered long ago.  (Research on the behaviour still being
	> conducted).
	> 
	> PPTP is used as the VPN of MSProxy, and it has many security
issues
	> such
	> as;
	> 	Easily broken MS-CHAP (challenge/response)
	> 	MPPE does not encrypted all PPP packets
	> 	Session key is derived from the users password, is not
40 or
	> 128-bit strength
	> 	Same key is used in both directions of the stream cipher
	> 	You can flip bits in the RC4 cipher stream to attack
tunneled
	> protocols
	> See: http://www.counterpane.com/pptp.html or postings by Aleph
One in
	> NTBugtraq.  PPTP is going away in NT5.0 anyway.
	> 
	> Too many firewalls are reviewed and judged as if they were
desktop
	> user
	> products instead of security products, then given points for
	> feature-bloat rather than penalized for opening too many
holes.  I
	> place
	> the blame directly on magazine reviewers and the managers who
swear by
	> them.
	> 
	> Bill Stout
	> 
	> > ----- Original Message -----
	> > From:	Gillian Steele [SMTP:gillian@spiceisle.com]
	> > Reply To:	Gillian Steele [SMTP:gillian@spiceisle.com]
	> > Sent:	Wednesday, June 17, 1998, 18:44:19
	> > To:	Stout, Bill
	> > Subject:	Re: Proxy 2.0 secure?
	> > 
	> > [To unsubscribe, send mail to majordomo@lists.gnac.net with
	> > "unsubscribe firewalls" in the body of the message.]
	> > -
	> > >I can tell you that if you are using MSProxy2.0 as a
firewall,
	> which
	> is
	> > also
	> > >a domain member server, you are asking for exposure of your
NT
	> domain
	> > >information, including users, groups, service accounts,
etc.
	> > 
	> > So, if you're really worried about this, use MSP 2.0 on its
own NT
	> box
	> and
	> > set up a one-way trust relationship between the NT domain
and the
	> box
	> > running MSP 2.0 and you're sitting pretty.  You can set up a
	> standalone box
	> > to do this for less than $3,500 (less than $2,500 if you go
with the
	> cheap
	> > PC running NT server).
	> > 
	> > I have heard of NO hackers getting past a properly
configured MSP
	> 2.0 
	> > server
	> > to access the internal LAN, whether MSP was running on its
own box
	> or
	> > otherwise.  Have you?
	> > 
	> > Recent tests have shown that MSP 2.0 is just as effective a
firewall
	> as
	> > other NT-based (and other firewalls).  As it's cheaper too
and
	> integrates
	> > very well with a LAN based on the NT domain model, it was
and
	> remains
	> my
	> > first choice for NT-based LANs for small to medium-sized
offices.
	> It's 
	> > lack
	> > of reporting tools makes it difficult for me to recommend it
for use
	> in
	> > large installations.  Right now I'm using it with a 164-node
LAN.
	> > 
	> > If you want the URL for those tests, please e-mail me (I
have it
	> stored on
	> > the PC in the office!).
	> > 
	> > Regards,
	> > Brian
	> > ----- End Of Original Message -----