I began writing a summary of Catapult for my manager. This is not
complete, but this is enough for a Friday.
Enjoy. Comments welcome.
Bill
___________________________________________________________________
--Intro
Catapult is a proxy package which contains proxies that run in various
packages. Presently it is a beta that requires beta O.S. and IIS 2.0 beta
(webserver). It comes with a service pack for NT4.0b2 which must be
installed before Catapult will install. It is a proxy package, and not a
firewall.
o HTTP
o FTP
o RealAudio
o VDOLive
o IRC
o 'mail'(SMTP?)
o news'(NNTP?)
o Telnet (?) via RWS, intranet only
--HTTP, Gopher, and FTP
The HTTP, Gopher, and FTP proxies link into the running IIS 2.0 webserver,
and run in the IIS memory space as ISAPI task threads.
The HTTP proxy comes in two flavors, a RWS HTTP proxy, and a HTTP caching
proxy ('CERN'-like). The RWS proxy is used only for intranets, and the
'CERN'-like proxy is for external HTTP access. Only one type of proxy
can be running. The 'CERN'-like proxy is compatible with browsers that
support CERN compliant proxies.
If IIS is used for external access, Catapult will allow internal access only.
FTP does not allow command-line access. Since this proxy is linked with IIS,
he must enter in a URL with the syntax; ftp://username:password @
ftp .
site .
com .
Currently FTP connections out are wrapped in HTTP, which results in getting
files as screen text back to the browser. This should be fixed, as holding
the shift key down is a workaround.
--TCP/IP
These proxies require the clients to access via Winsock 1.1 or RWS (Remote
Windows Sockets Server). Only Windows clients using the Winsock API can use
this proxy. Catapult is not compatible with the current SOCKS standard.
Non-Microsoft TCP/IP stacks are not supported.
RWS is intended only for intranet sites, and must be disabled on Catapult
for access to internet sites.
Telnet proxy can be configured using RWS.
--System Security
Catapult does not require that IP routing be disabled on the 'firewall'
system.
Catapult does not insure that the firewall is not linked into an existing
domain.
Catapult creates an iasclnt network share for clients on the firewall which
stores
RWS client software for clients to download and install. In the Firewall
world,
network drive shares are forbidden. There is no automated system auditing
program on installation, or a periodic system security auditing tool.
NT HTTP challenge/response security supports Explorer only. Other browsers
are not
supported via the NT HTTP challenge/response.
--IPX
IPX is supported for W95 and NT only, not
SSL tunneling is supported between proxy servers.
_____________________________________________________
Additional Comments:
The difference between a real firewall package and a proxy package
like Catapult is the security of the underlying O.S., and software
to secure the underlying O.S..
A firewall uses a stripped O.S., any and all services except as
required for the proxies are removed. Each service or application
which runs on the firewall is a door through the firewall. Also UDP
traffic is connectionless, cannot be firewalled, and should not
be allowed on a firewall, for example, because of certain attack
methods (IP sequence, etc).
Firewalls 'fail' in the closed position, so that communications
for a specific IP port# stops, instead of opening up. An
administrator that does not completely understand IP port numbers,
applications, and the services running on the firewall is the
greatest threat to firewall security. Next to modems...
Catapult fails in the open position, just realizing that IP routing
alone is not forcefully disabled by Catapult.
NT is certified C2 compliant as long as you disconnect the network,
remove floppy drives, etc. It is not secure from a network standpoint,
and NT generally is unsecure in from many other perspectives.
Nbtstat -a <enter IP address of www.microsoft.com node> will give you
processes, user, MAC address, etc of a webserver/Catapult system, which
will give you usernames to crack, and (system ID) nonce's to target for
sniff and capture. This gives you much more detail than 'finger', which
was a favorite tool of hackers to find what accounts exist on a machine,
let alone a domain. If the machine can boot from a floppy disk, a DOS
floppy with NTFSDOS.EXE allows you to read the NTFS filesystem without
security. A firewall has to be located in a physically secure area for
this and other reasons. Same goes for UNIX firewalls, but you can't just
stroll by, slip in a floppy, and touch the reset button...
The machine account security (nonce token) can be easily bypassed by
disconnecting the network cable, logging in using cached data locally,
and reconnecting the cable.
Also because of export restriction, NT uses a one-way encryption mechanism,
broadcasting the username/password in both DES and MD4 encrypted passwords
(for LANmanager compatibility), and compares that binary string to a
binary string in a SAM database, it does not decrypt the string. That
binary string is sniffable and reusable. A NT firewall that is a member
of a domain is also dangerous, only an administrator should be allowed
to log into a firewall system, and only locally if you're really security
conscious. NT passwords are fairly easily crackable, DES is crackable,
and the only way NT will not encrypt using DES is to use a password longer
than 14 characters. Though none of the user interfaces allow longer than
14 character passwords...
NT will accept connections with a NULL domain field(WFW compatibility
purposes), if a hacker does not know the domain name, he uses a WFW PC.
Any user logged into a NT 4.0b1 w/s can browse the entire (protected)
directory tree of a NT 3.51 svr w/SP 3, SP 4 fixes this. I don't know
why, or the exact configuration this is caused by.
There is no software to automatically audit and secure the underlying
O.S., Catapult, for example, does not require IP routing be disabled,
a _HUGE_ security hole in the firewall world. Other firewall
requirements are telnet, rlogin, x-windows, and other proxies that
developers or advanced multi-O.S. users demand in large corporations.
Other firewall base O.S.s have also had security holes, these are
generally fixed over the years. Hackers have to exploit these
weaknesses before they are addressed. If MS is using Catapult as
their only firewall package, I'm sure the MS view of a firewall will
become 'redefined'.
Bill Stout
_______________________________________________________________________________
Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;)
Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself
___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________
|
|
