[ previous ] [ next ] [ threads ]
 
 From:  Michael Monaghan <mmonaghan at gmail dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] External Authentication
 Date:  Sat, 11 Sep 2004 17:39:30 -0400
Chris,


> There could very well be unpublished exploits out there, but it's just
> as likely that there are unpublished/unknown exploits in Apache,
> FreeBSD, Linux, etc.

While I agree all OS platforms are likely to have exploits the scales
are very heavy against Microsoft.  Check the CERT list for example
where Microsoft holds a good third of the entries.  Maybe that is in
part due to the number of users.
 
The exploit we got hit with is part of a kiddie kit available to
anyone.  I didn't say Microsoft didn't aknowledge it.  I said they
haven't fixed it.  They published documentation 2 days after my report
which included details on the sources and methods used.  They had
previous reports of the same exploit but no details to work from.  We
do extensive remote logging so we were able to pull together a lot of
information that was destroyed in other attacks.

A quick glance at the Info Sec community will reveal a growning
population that believe a lot of exploits are "privately held" for
some time before they become public knowledge.

> My first guess is still an application vulnerability, so I really
> encourage you to test the application's security.  (the book Hacking
> Exposed Web Applications is a good starting point for info if you're
> not up on web app security testing)

I've done extensive testing and I know the application has its
problems.  In this case however the logs are clear attack occured
through the default server which had no "content".  The application
was never touched by the offending IP.  We stream logs to a remote
site so they don't get "altered" before we have a copy.

> > Why do you feel authentication at the firewall would be a support
> > nightmare?  That's the kind of information I'm looking for.  If I'm
> > not going to be able to support this configuration I'd like to know
> > before I commit to it.
> 
> Because you'd either have to determine the public IP subnet(s) of all
> your customers, and maintain that list, or use a second logon and
> password.

Agreed.  Even with a few employees this isn't maintainable.  That's
why I'm looking to use the Captive Portal (although I didn't have the
terminology right at the time I asked this question).

Radius authentication and the Captive Portal together seem as if they
might be able to answer this and keep us with one set of credentials. 
I'm thinking that we might put the m0n0wall behind our existing
firewall and open 443 to use SSL and Captive Portal.  I'm guessing
I'll need to use two IPs but I haven't tested anything yet.  I know
this is less than ideal, but under the ugly circumstances its the best
thing going.

> For the latter, it
> isn't possible with m0n0wall at this point that I'm aware of, and if
> you're dealing with the typical user, maintaining another username and
> password would almost certainly at least double your incidents of
> password resets and general support questions.

I completely agree. 
 
> My 2 cents at least.  :)

Thanks for your input Chris.

Mike


On Sat, 11 Sep 2004 16:49:01 -0400, Chris Buechler <cbuechler at gmail dot com> wrote:
> On Fri, 10 Sep 2004 08:40:26 -0400, Michael Monaghan
> <mmonaghan at gmail dot com> wrote:
> >
> > There are plenty of known vulnerabilities that Microsoft admits there
> > are no fixes for.  The one used in this attack was unknown to MS PSS
> > and is still under study 2 months after the fact.  A lot of people
> > would have ignored the attack because the Root Kit was almost perfect.
> >  I think we can all agree everything has it's problems and in the
> > wrong or untrained hands things can be much worse.  I do appreciate
> > your ideas on IIS.  We've implemented them previously and it didn't
> > slow the attacker down.
> >
> 
> There could very well be unpublished exploits out there, but it's just
> as likely that there are unpublished/unknown exploits in Apache,
> FreeBSD, Linux, etc.
> 
> If you got hit by someone so good that they have unpublished exploits,
> it doesn't matter what platform you're running, they're going to get
> in somehow.
> 
> I find it a little hard to believe that a remote exploit sufficient to
> install a root kit exists and hasn't been at least acknowledged.
> (though it would likely be someone outside of MS first)  But it would
> certainly be possible, given MS's track record, especially over the
> last 6 months with almost constant unpatched holes in IE.  If PSS told
> you that, I'd imagine it's probably true.
> 
> My first guess is still an application vulnerability, so I really
> encourage you to test the application's security.  (the book Hacking
> Exposed Web Applications is a good starting point for info if you're
> not up on web app security testing)
> 
> 
> >
> > Why do you feel authentication at the firewall would be a support
> > nightmare?  That's the kind of information I'm looking for.  If I'm
> > not going to be able to support this configuration I'd like to know
> > before I commit to it.
> 
> Because you'd either have to determine the public IP subnet(s) of all
> your customers, and maintain that list, or use a second logon and
> password.
> 
> For the former, maintaining that list if you have more than a handful
> of clients is going to be a pain, especially if they want access from
> home, from a dial up account on the road, etc.  For the latter, it
> isn't possible with m0n0wall at this point that I'm aware of, and if
> you're dealing with the typical user, maintaining another username and
> password would almost certainly at least double your incidents of
> password resets and general support questions.
> 
> My 2 cents at least.  :)
> 
> -Chris
>