>Not on a firewall. On a firewall it can run as any user and perform
>a SATAN style attack on hosts beyond the firewall. Whether it can
>subvert internal security on the firewall is less critical. But even
>there, the gaps Microsoft has created in NT security (bypassing
>traverse checking, for example, and the lax permissions you need
>on system directories) make a trojan horse attack (via the file
>system or the registry rather than the secured portions of the
>proxy, for example) quite credible. A similar attack in UNIX,
>from a chrooted environment, is orders of magnitude more
>difficult.
*
Your "gaps" are based on your understanding of how NT works with
particular applications (some belonging to Microsoft), and in a
particular environment which NT was not designed to function within
(Citrix, WinDD, et al). This was precisely what I was referring to when
I said that applications are not built properly, but that NT is. Lax
permissions on the system directories only need to be Lax if you need
to run programs which were poorly designed (Microsoft Office is a
perfect example), your Firewall is definitely not going to need this
capability. I've said it before, and I'll say it again, no properly
written application needs to have anything beyond read access to the
%systemroot% directory or any of its subdirectories, so the OS files
can be completely secured from all but the SYSTEM user and any user you
permit CONSOLE access.
*
Bypassing traverse checking is only required if something plans on
scanning the directory trees, again, not something that has much to do
with the needs of a Firewall application (if the Firewall doesn't know
already what directories it needs to go to, there's something wrong
with its design). So neither of these "gaps" you put forth have
anything to do with the issue at hand and would be the simplest part of
securing the OS that a Firewall would have to deal with.
*
A simple way to kill the Trojan horse issue completely is to run
something akin to Raptor's Vulture process, which sits on the Firewall
and constantly scans for changes to critical files (including its own).
No big deal and your Trojan Horse threat disappears.
*
>NT is not just the kernel and subsystems, it's got to include the
>applications as well. Just as people consider sendmail holes to
>be a UNIX security problem, the configuration problems and problems
>in Microsoft applications and utilities are NT security problems.
*
Sorry, so you patch the Unix OS to fix Sendmail problems? I must have
missed that CERT advisory.
*
>NT, as a system, has not been given the same overall attention to
>security as UNIX. And that's truly scary, because UNIX was not
>originally designed with high levels of security as a goal!
*
Well, that's not what their stated design goals were, so your
information comes from where? I'll happily accept that this is your
opinion, but you make it sound like fact. I won't argue that Microsoft
does not employ a lot of the security techniques it could/should, but
NT has the facilities built-in designed from the beginning, what's at
issue is what uses them and what doesn't, IMO.
*
>I didn't say that. What I said is that *I* can not scrutinize the
source.
>Whether some programmer subject to a nondisclosure agreement
>has seen it is utterly irrelevant to me: his study doesn't benefit me
>any more than a similar study by a Microsoft programmer... unless
>I'm already a criminal and are willing to coerce him into violating
>his NDA.
*
There are a lot of things which you cannot do personally, if you tried
to scrutinize the NT source code it would probably take you a
considerable amount of time. *You* can scrutinize NT's source code if
you want, you just have to buy a license. If this is the only issue you
have in this area, then its one of cost, not ability. Microsoft's not
hiding anything, their just charging for it.
*
>That is, Microsoft's secrecy regarding their source,
*
What secrecy, see above.
*
>while completely understandable, does benefit the black hats by
keeping
>most of the white hats away. Most especially, it keeps away the people
>who will perform the same sort of hostile reviews that have publicised
AND
>CLOSED so many UNIX
*
For one thing, I don't believe that "most of the white hats" are being
kept away. I think "most of the white hats" are very busy doing other
things. If the companies that "most of the white hats" worked for
wanted to do some really secure stuff with NT, you'd be surprised at
how accommodating Microsoft can be. But its market driven, so if you
can't show how your work is going to provide significant revenue to
Microsoft, you're probably going to have to pay. The other option is to
do what most of the NT Firewall vendors are doing, and that's to
implant yourself far enough down to catch things before NT has a chance
to be exploited, or, do enough testing to derive functionality and
capability. There are other ways that violate Microsoft's license, but
its been known to happen.
*
Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security Consulting
mailto:Russ .
Cooper @
RC .
on .
ca <-- *note the new address*
Follow-Ups:
|
|
