Great Circle Associates Firewalls
(August 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: nt 4 buit-in firewalls
From: Bill Stout <bill . stout @ hidata . com>
Date: Thu, 22 Aug 1996 10:41:05 -0700
To: the nt master <ntmaster @ jwhite . agn . net>
Cc: Firewalls @ GreatCircle . COM 
At 10:44 PM 8/21/96 -0400, you wrote:
>i was curious if anyone has used nt4's built in firewall feature?  if so,
>what comments do u have on it?  also, does anyone know how to set it up to
>avoid server level ping floods (icmp)?  thanx
>
>»»»  ntmaster  «««


O.K. 'NT Master', I'll bite the bait, what 'built in firewall feature'?

There is a product called Catapult, which is a proxy (not to be confused
with a firewall) which runs on top of NT 4.0 and IIS 2.0.

Don't confuse NT C2 certification with network security either, it refers 
only to a standalone NT box that doesn't talk to anything.  

The network logon security appears to be strong, where it exchanges 16bit 
OWF (One-Way-Function) encrypted DES and RSA-MD4 passwords through a 
secure(d) channel to a server for requesting user access tokens.  However
all this work culminates in associating the encrypted token with four 
character plaintext UIDs accompanying all SMB session (port 139) traffic.  
This should be very easy to Hijack.  As I write this, I'm worried because
I just sniffed the net again, and noticed my UID is the same as last Friday.
Anyone know the TTL for SMB UIDs?  In fairness, in a comparison to UNIX 
SMB would map to NFS which you would diligently turn off in a firewall 
(all of us, but not MS, which purposefully creates a share with Catapult), 
and the logon process would map to Kerberos or SecureRPC logon (DES 40-bit 
only?).

Raptor has an NT firewall, some say it should not be a PDC or BDC that keeps 
duplicates of the user SAM database(/etc file or NIS+ table equivalent), I 
would go further and say it should not even be a domain member which a domain
would trust, but a server in it's own single-host domain.  Raptor does kill
'server' and other processes that open SMB type ports from what I can tell,
and they appear to replace the (mysterious) MS NT TCP/IP stack as a network
service.

So far I've only mentioned a percentage of many network objects in NT, and 
each follow different security mechanisms and ports in the IP stack.  MS 
has no plans to open and make public their code for inspection.

Personally, I think there are too many mysteries and have seen too many 
security bugs in NT to trust it it's use as a external corporate-strength 
firewall.


Bill Stout
_______________________________________________________________________________
Senior Systems Admin   NT/UNIX/I-net/Routers/Mainframes/Janitor ;)
Hitachi Data Systems   408-970-4822   ---  Disclaimer:  I speak only for myself
___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________
Indexed By Date Previous: Re: tutorial url
From: Wayne . Gifford @ East . Sun . COM (Wayne Gifford - Internet Commerce Group)
Next: Re: Tacacs+ type?
From: carrel @ ipsec . org
Indexed By Thread Previous: nt 4 buit-in firewalls
From: the nt master <ntmaster @ jwhite . agn . net>
Next: Re: nt 4 buit-in firewalls
From: Mattias Lindström <mattiasl @ dataphone . se>
Google
 
Search Internet Search www.greatcircle.com