Re: By-passing MS Proxy 2.0 and others packet filtering

From: Marc D. Behr (mbehrat_private)
Date: Fri Oct 09 1998 - 05:31:42 PDT

Next message: Chris Brenton: "More Rconsole stuff"

Previous message: Michael Blythe: "Referer (was Patches for wwwboard.pl)"
Maybe in reply to: Mnemonix: "By-passing MS Proxy 2.0 and others packet filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

In message <E0zRAWY-0003iT-00at_private>, Mnemonix writes:
>Okay - to make everything more clear
>
>
>
>Firstly it seems that most web-based proxies, not just MS Proxy, are
>susceptible to this kind of attack. Thanks to Greg Jones and others for
>doing some testing on this.
>

It is true that most improperly configured web proxy servers can be exploited
to allow you to access any service on a remote system. The key statement here
is "improperly configured".

At a previous job at a network equipment manufacturer, I was responsible to
the administration of the web servers and proxies. I installed rules on the
proxy server that indicated what ports I would allow people to connect to on
remote systems. The proxy was configured to allow connections only to ports
70,80-89,8000-8090 on the remote servers (I think that was all, but my memory
may have missed a few).

If a user attempted to access a server that was running on a different port,
they would get a message indicating that access was being denied to this
server/port and that if they needed access, they should contact "The Web
Police". We could then determine if a special case rule was necessary to allow
access.

This is a reminder that if your firewall policy is to deny anything that is
not specifically allowed, you need to remember to implement this exact same
policy on your proxy server if you wish to maintain security.

I would also recommend that you do NOT run a proxy server on port 80. Pick
some other port in the 81-89 range and ensure that your proxy is configured to
allow connections from  inside addresses only (even if you have installed
packet filtering rules to do the same). I always like to assume that
everything else is broken and repeat the rules where I can.

Marc

- --
Marc D. Behr                                    mbehrat_private
SecurePipe Communications, LLC
PGP Key ID: 0x0D8A666F
Fingerprint16: 0B E0 30 14 E0 CF 3C 4C  D6 37 87 E2 D6 E5 88 E0

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNh4CLdnuRAINimZvAQEpQAf/ZlO76maXS/CBKyBAixONlD3uGFuQHZLG
PsT2fAhcPbgLwNmqA+NcsQPeFH5eK1jj1iodQ2vBRfoS8pNDMpLqMbGS5E8pxfwX
A+PPUymvqy/weyD0gvvnpecjOtbbjkINWQJDVMafaZxBoUr46oRAePdfD2H8l6ID
s+taFT08V9FelBfbqGvNcG0kaDkUQ64oopEfA8dEd++QlSW0uAVoRcG6m52G1jXn
uz9ejxwH6cXftDLDcp0yn3t2lydaH8kJsDNwxrfO9PavT/Ma6T7aaJNC1fiWLTv9
+WrFHqvjTvJ0uoVfp9ftSvwFh4qRXzbYOheYvi/qbcr2yr8MO3Nj1w==
=Q3Nu
-----END PGP SIGNATURE-----

Next message: Chris Brenton: "More Rconsole stuff"
Previous message: Michael Blythe: "Referer (was Patches for wwwboard.pl)"
Maybe in reply to: Mnemonix: "By-passing MS Proxy 2.0 and others packet filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:07 PDT