Which Router for VPN and Webhosting

Discussion in 'Computer Security' started by wendy, Sep 12, 2003.

  1. wendy

    David Guest

    It's hard to say. In either case it is simply a matter of whether the black
    hats find the vulnerabilities before the white hats do. Even with MS's piss
    poor reputation in regards to dealing with reported vulnerabilities, they do
    seem to get most of their holes patched before the exploits hit the net.
    There are several security outfits looking for windows vulnerabilities right
    now because there is money to made in doing so.

    On the other hand I have seen a lot of open source vulnerabilities that are
    being discovered after the exploits show up. OpenSSH for example just fixed
    two holes one right after the other which it looks like were only discovered
    after several systems had reportedly been hacked. And this is not an obscure
    open source project.

    There is a lot of open source stuff out there that is not getting audited.
    And there is a bunch of PHP and perl stuff for websites which is full of
    exploitable code. Take a look at many of the open source web application
    projects and you will probably find exploitable scripts and or SQL injection
    vulnerabilities.
     
    David, Sep 20, 2003
    #61
    1. Advertisements

  2. wendy

    Eirik Seim Guest

    In most cases yes. I don't think they ever patched that IGMP problem
    with Windows 98SE (and earlier). The problem is rather the amount of
    patches. Once there is a patch that is a bit harder than usual to
    install (like the MS-SQL hole exploited by the Slammer worm), it is
    skipped and forgotten until networks start to go down.
    Which is great! :)
    There will always be bugs in complex software. Most of them are found
    and fixed before an exploit is out, but yes I see your point. The sword
    cuts both ways.
    Poorly written web applications will become even more of a problem in
    the future. There is an infinite amount of bad programmers out there
    who took a one-year "web programming" course[1], and keep making the
    same mistakes instead of reusing mature code, and follow the recommended
    guides for things like input checking[2].


    - Eirik

    1. And others, of course. A CS degree don't have to help, either.
    2. The last case I reported was actually at my local MENSA website,
    which was kind of amusing in a way..
     
    Eirik Seim, Sep 20, 2003
    #62
    1. Advertisements

  3. On 20 Sep 2003 05:47:28 -0700, BC spoketh
    Interesting. Just for the fun of it, I just installed Windows Server
    2003 Web Edition, and managed to kill of everything except:
    - Port 80/TCP (Kinda have to allow this one, it's a web server)
    - Port 135/TCP (Can't be shut down if you're running IIS)
    - Port 1025/TCP (lsa-something or other)

    Port 135 access can be shut down either by using IP filters and/or IPSec
    policies. The same is true for port 1025.

    The only remaining vulnerability is IIS itself (and seeing how IIS 4 & 5
    was, that might still be a significant issue)...

    If you want to run Apache instead, port 135 issues will go away as
    well... Not too bad for being my second look at Windows 2003...


    Lars M. Hansen
    www.hansenonline.net
     
    Lars M. Hansen, Sep 20, 2003
    #63
  4. wendy

    BC Guest

    Not bad indeed, for starters, but you may have to go
    a wee bit further: http://tinyurl.com/fmzg And then
    there's Internet Explorer to unbundle, Media Player,
    DirectX, etc., etc.

    -BC
     
    BC, Sep 21, 2003
    #64
  5. On 20 Sep 2003 21:12:02 -0700, BC spoketh
    Well, I'm a little uncertain why I would have to remove those. Neither
    are actively listening, and should only pose a threat if someone has
    physical access to the computer ...

    Lars M. Hansen
    www.hansenonline.net
     
    Lars M. Hansen, Sep 21, 2003
    #65
  6. wendy

    David Guest

    The point is this Lars. If you are running a webserver you want to install a
    kernel, a webserver, and only the additional tools and software necessary to
    run and administer the webserver.

    Let's say another buffer overrun is found in IIS or one of the MS or third
    party isapi filters you use for dynamic content. An exploit is created for
    it which overwrites code in the IIS memory space that shovels a shell back
    to the hacker. Since IIS runs as system, and the cmd shell is actually being
    run on the server many things that are still installed on the server are
    still up for grabs. So disable what you can but if you can't uninstall it,
    one way or another much of it can be used against you to further a
    compromise. They have added access control for processes and various other
    new security features which should make it easier to secure against elevated
    privilege exploits, but history tells me someone will find the ways. It will
    be interesting to see if something is found with their new kernel mode
    http.sys driver. Only time will tell.

    With Linux you can put the webserver in a chroot jail. So after the initial
    exploit the hacker has no access to the rest of your system until they get
    out of the jail. And since you didn't leave them any tools in the jail cell
    to further their compromise, they have to find a way to upload them, get out
    of jail, and upload more tools because you didn't leave them squat to work
    with outside the jail either.

    The specific programs mentioned by another aren't the big problem, it is a
    bunch of the other stuff that is installed and cannot be removed. Initial
    break-ins aren't the problem, it is everything that is done afterwards that
    wreaks havoc.
     
    David, Sep 21, 2003
    #66
  7. wendy

    Leythos Guest


    All of our production web servers are set to that the MMC and CMD are
    only executable by a select user account. Gaining access to the CMD
    shell is not possible, even the OS system account can't access it. In
    fact, I've done this on most of our admin tools, only a select user, one
    that is not an admin, can execute them - the user is made an admin only
    for the time needed to perform admin functions and then returned to user
    status.

    Been running IIS since 4 came out and never been compromised yet.
     
    Leythos, Sep 22, 2003
    #67
  8. wendy

    BC Guest

    Good explanation. Also Microsoft gives way, WAY too many priviledges
    to the built-in apps like IE and WMP, which are constantly exposed
    to external threats. IE especially has consistantly been the flimsy
    door with the crummy lock.

    -BC
     
    BC, Sep 22, 2003
    #68
  9. wendy

    David Guest

    My point wasn't made to analyze a single method of exploit and how to secure
    from it. History shows us that exploits are used, computer users/admins make
    changes and then the exploits are reworked to account for those changes.
    File ownership and acl's can be changed programmatically, and while securing
    something like msc consoles adds to your local access security, the
    interfaces to the services, registry, metabases,etc. are still there. Some
    stuff will always be there no matter what platform you use because they are
    needed for functionality or administration, but there is no reason to have
    to run a server with a list of disabled services and unneeded interfaces
    that can't be uninstalled. The point is you are not given a way to get rid
    of much of the unnecessary BS. Everyone recommends not installing what isn't
    needed, but their own installation methods, system architecture, and
    business practices don't allow you to completely do that. You are forced to
    install certain proprietary technologies and applications, many which are
    tied together to other functionality so you can't even manually uninstall
    them. You can disable all you want and change all the permissions and user
    rights you want but they can all be programmatically changed again. You
    shouldn't be forced to install the crap you don't need, and then have to
    spend resources on IT staff and third party software to protect you from
    what doesn't need to be there in the first place. When you look *closely* at
    the "Zero Administration" Initiative, you start to realize that it is sugar
    coated and still favors ease of use, versatility, and backward compatibility
    over security. It's great for a relatively closed environment, but the core
    technologies for it are embedded in the OS and cannot be taken out when you
    want to deploy a publicly accessible server. Sure you can make a
    windows-based
    server relatively safe from initial exploit by keeping up to date with
    current issues, but we all know it is impossible to guarantee it. So you end
    up spending time and money securing stuff that doesn't need to be there in
    the first place to keep the dominoes from falling.
     
    David, Sep 23, 2003
    #69
  10. wendy

    BC Guest

    You wouldn't exactly think that from their product
    description: http://www.microsoft.com/isaserver
    Damned if I can't find a reference to how it's only
    meant to protect small companies with low Internet
    traffic....

    -BC
     
    BC, Sep 23, 2003
    #70
  11. wendy

    David Guest

    Nobody said it was only meant for small companies or low bandwidth
    situations. You have simply taken somebody else's words out of context. The
    word "in this respect" are very important to the context of the statement
    made.
     
    David, Sep 24, 2003
    #71
  12. wendy

    BC Guest

    I don't want to quibble too much over context or such,
    but Microsoft very clearly tries to market ISA Server
    as an "enterprise" level firewall and caching solution.

    Either it is or it isn't....

    -BC
     
    BC, Sep 25, 2003
    #72
  13. wendy

    David Guest

    It doesn't mean it is the best thing to use for all enterprise scenarios.
    Nothing fits that bill. If you go into a large organization that has a good
    internet presence you will probably see more than one brand or type of
    firewall deployed in ways that best suit their particular design. And you
    will also find many that are using companies like Akamai to serve up their
    content.

    MS was facing a potential DDOS attack of unknown severity from normally
    legitimate users. So they needed a quick solution that would give them the
    ability to have additional servers come online quickly as the need arose so
    that they could still serve up pages to legitimate users. Akamai fits the
    bill perfectly in this situation, in a cost effective way no less. Would you
    go out and pay for infrastructure for a temporary problem?
    Symantec conducts a lot of their business using Akamai also, does that make
    their enterprise firewall substandard also?

    I think not!
     
    David, Sep 25, 2003
    #73
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.