Doesn't anyone else know this stuff?

Doesn't anyone else know this stuff? (Full Version)

All Forums >> [Threat Management Gateway (TMG) 2010] >> General

Message

SPEnthusiast -> Doesn't anyone else know this stuff? (28.Jan.2009 7:45:43 PM)
What good is a firewall, threat management software, etc. when the underlying Layer 2 hardware requires device drivers than run with full privileges in your OS kernel? Most people use Windows XP on PCs connected to the Internet. Vista has a security feature called User Mode Device Drivers where the driver has no access to the OS kernel. Do blind lead the blind on the whole Internet, or is this some game that I don't know anything about? Thanks.

adimcev -> RE: Doesn't anyone else know this stuff? (30.Jan.2009 8:56:29 AM)
So you are explicitly treating the firewall as a desktop, and install on it drivers that Microsoft has not digitally signed or from unknown provenience ? http://www.microsoft.com/whdc/winlogo/drvsign/digitsign.mspx Then, no good.... Adrian

tshinder -> RE: Doesn't anyone else know this stuff? (30.Jan.2009 9:53:25 AM)
Hi Adrian, Indeed, -- since it is a firewall, you have to treat it as such. It's not a client or server, as many people seems to think it is. Thanks! Tom

SPEnthusiast -> RE: Doesn't anyone else know this stuff? (30.Jan.2009 7:59:44 PM)
Well, so it's not blind leading the blind, its actually some experts misleading the blind. So, here goes, I'm going to cut to the chase here for the benefit of those that haven't got the gist of what I was trying to put through, although I'm sure that the people that have responded so far to my post know what I was trying to get at. Windows XP, Windows Server 2003 - which is used even now to run ISA Server at major enterprises planet-wide - and all Microsoft OSes preceding Vista had no concept of User Mode Device Drivers. And Ethernet is used almost everywhere as the Layer 2 hardware to route IP over. Ethernet is a hierarchical network, uses a globally visible 48-bit MAC address, and you have to know that if your computer is connected to anything it can be intruded on. That would include these fancy 24 to 30-inch monitors with all kinds of CE inputs like component, S-Video, etc. to which you might hook things up like your cable company's receiver and anything else. Ethernet's hierarchical model was expected to formalize some of this stuff, but there are lots of people out there that have no idea that what they do on the Internet has ramifications on this Ethernet underworld, where people actually impersonate you on the Internet using your Ethernet NIC's device driver as the conduit through which to get to your OS kernel. This actually has the blessings of your ISP, too. If they have subverted your OS kernel this way, you're being shadowed. The obvious picks here are children that do innocent things on the Internet and their actions are logged by the people that have subverted the OS kernel as outlined above, and use those logs to impersonate children in order to hide their own evil actions. Now, its not just kids, there are grown-ups that do innocent things on the Internet, so there's just a lot more money involved there - intellectual property theft, etc. To circumvent this sort of evil, you can use Windows Vista that has a security feature called User Mode Device Drivers, where such drivers have no access to the OS kernel. This still doesn't solve the problem. I outlined a solution to all this as early as 1999/2000, but at that time I didn't have a lot of the details on all these problems, so I couldn't argue convincingly that my solution would solve this. I just knew that my IP - actually several IPs - were being stolen, so I put forward a broad strategy without a lot of details. Much of that is not in place yet, but User Mode Device Drivers in Vista do help. Perhaps you folks at www.isaserver.org can now confess to the people that you lead about how they should really have been protected.

SteveMoffat -> RE: Doesn't anyone else know this stuff? (30.Jan.2009 9:09:57 PM)
Sir, you are a numpty. If you come out with cr*p like that you'll need to back it up with real world evidence....remember. Not 1 documented comprmise of an ISA Server that has been properly configured....ever...

adimcev -> RE: Doesn't anyone else know this stuff? (31.Jan.2009 7:09:09 AM)
What are you trying to say ? User mode device drivers are currently designed to support digital cameras, PDAs, portable media players, cell phones.... A user mode device driver cannot perform direct access to the hardware(like DMA) or handle interrupts. A user mode device driver may introduce performance issues. http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/umdf_intro.doc http://www.microsoft.com/whdc/driver/wdf/UMDF.mspx http://www.microsoft.com/whdc/DevTools/WDK/WDKbeta.mspx http://www.microsoft.com/whdc/driver/wdf/UMDF_FAQ.mspx http://blogs.msdn.com/iliast/archive/2006/10/10/Introduction-to-the-User_2D00_Mode-Driver-Framework.aspx http://msdn.microsoft.com/en-us/library/aa510961.aspx Actually you can run user mode drivers on Windows XP SP2 and 2003 SP1: http://msdn.microsoft.com/en-us/library/aa510983.aspx Part of the process of building a proper ISA machine(which is not a desktop), using only supported and recommended hardware, is to select and test the appropriate drivers. If an attacker manages to install or to supply for installing to the admin his or her crafted version of a device driver, and this device driver runs in kernel space, then indeed there is a problem. That's why you need to install drivers that are digitally signed. And you can see yourself that Microsoft takes this aspect into serious and treat it accordingly: http://www.microsoft.com/whdc/driver/security/drvsecure.mspx http://www.microsoft.com/whdc/driver/security/threatmodel.mspx http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx http://blogs.msdn.com/hanybarakat/archive/2007/02/16/os-internals-abcs.aspx It's also the duty of the admin to verify the authenticity of the Windows OS and of the ISA product: http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/common-criteria.aspx Please review the ISA Server 2006 Firewall Core: http://download.microsoft.com/download/e/7/6/e76fdda3-5c2c-4fbb-9c6f-3bcd0ed4b8ef/Firewall_Corewp.doc Adrian

richardhicks -> RE: Doesn't anyone else know this stuff? (31.Jan.2009 12:50:59 PM)
Cisco ASA and the Checkpoint Firewall on IPSO to my knowledge both leverage kernel mode device drivers for their network interfaces. If I am following your logic then both of these devices are useless as well? Fascinating! Unfortunately for you my friend, the Microsoft ISA firewall's track record speaks loud and clear. Absolutely NO known incidents of compromise. You make it sound as if this kernel mode driver issue is trivial to exploit; if that were the case, most certainly you or myriad others would already have leveraged this so called 'vulnerability'.

tshinder -> RE: Doesn't anyone else know this stuff? (31.Jan.2009 1:10:59 PM)
It really is a testament to the ISA/TMG firewall dev team that their firewall has had no security incidents. However, you would not be surprised if you met them. I had to opportunity to meet the entire team this year, and they are the hardest working, smartest and most modest group of devs I've ever met. They are rocket scientists in the truest sense of the word. That's just one reason why I'm such a fan of the ISA firewall. Thanks! Tom

SPEnthusiast -> RE: Doesn't anyone else know this stuff? (31.Jan.2009 2:36:48 PM)
Here we go: You folks are exposing yourselves more and more with east post. Here's something that I think must be happening. You pick some poor s/d.o.b, give them some training on ISA Server, give them domain admin privileges and put them in charge of a network managed by Server 2003 machines, with some of them deployed at the network edge running ISA Server on PCs that have these malicious drivers. You then manage folks like those behind the scenes to make a living, and when you get caught, you just pass the blame onto the people you've been managing behind the scenes - the ones that got the poor ISA Server training. Would this be conjecture on my part? Probably, but atleast some folks other than those that have responded to my posts in this thread would look for these incidents and then you're all toast. You don't belong in these positions, you gotta go, fast - now! I don't doubt the good intentions of the ISA Server dev team at Microsoft. I love Microsoft software.

Dumber -> RE: Doesn't anyone else know this stuff? (31.Jan.2009 4:58:24 PM)
I'm sorry to jump in but what is actually your problem? To me it sounds like you have some kind of issue with ISA or Microsoft. Why is that? Or did I missed something because of my English [:D]

adimcev -> RE: Doesn't anyone else know this stuff? (31.Jan.2009 5:10:02 PM)
How about we just drop the ISAs and simply use some rootkited Cisco routers, for your little plan, eh ?[;)] Adrian

SteveMoffat -> RE: Doesn't anyone else know this stuff? (31.Jan.2009 5:48:21 PM)
quote: with some of them deployed at the network edge running ISA Server on PCs that have these malicious drivers. ISA on a PC, man you are dumber than your post!!

Dumber -> RE: Doesn't anyone else know this stuff? (31.Jan.2009 6:32:53 PM)
quote: ORIGINAL: SteveMoffat] ISA on a PC, man you are dumber than your post!! Hey leave me out of this [:D][:D] Well, ISA on PC's.... If you only knew how often I had to fight to get a descent server for ISA instead of a Desktop and/or the oldest leftover server. Usually this was on small to midsized companies but still though.

SteveMoffat -> RE: Doesn't anyone else know this stuff? (31.Jan.2009 6:38:28 PM)
[:D][:D][:D][:D]

adimcev -> RE: Doesn't anyone else know this stuff? (1.Feb.2009 5:39:12 AM)
That would matter little. To put this straight, if you choose for example any of the enterprise network firewalls listed by Gartner in its annual report then, whatever the sales guys may say: - none of them are truly implemented in hardware from A to Z, either the firewall system itself or the console platform used to manage the firewall, changes to hardware are possible, and so they can be circumvented or tampered. - on none of them the internal hardware is truly sealed, with seals that when broken, are monitored and report that the system has been tampered in a way that cannot be bypassed. - any of them can be configured or used in an insecure manner, manner believed by the admin to be secure. - ....... So you can create all day long conspiracy theories, your choice of involving ISA in this is quite poor, since ISA is not deployed as wide as any of the firewalls listed by Gartner. You may be interested in reading Microsoft Security Response Center's 10 Immutable Laws of Security, as they may clean a little bit your conspiracy theory: http://technet.microsoft.com/en-us/library/cc722487.aspx Adrian

SPEnthusiast -> RE: Doesn't anyone else know this stuff? (1.Feb.2009 4:41:30 PM)
Here's some enlightenment for all of you - a firewall purportedly protects IP ports, at Layer 3 and above in the OSI model, so a firewall is all software. Layers 1 and 2 are the only hardware components in the true OSI model, IP/IPv6 are true software specs. So it won't matter where you embed them, Cisco routers or whatever, a firewall is a piece of software. Now, that was for all the folks that were acting dumb, here's the real nitty-gritty on what those people are up to: More than ten years ago, when InfiniBand emerged as the point-to-point solution to replace hierarchical Ethernet and also with the native capability to route IPv6, these folks have been sacrificing innocent people just to make a living. By the way, I chose the ISA Server forum since its about a firewall, and I like to see Microsoft advance past these con artists. I plan to buy a lot of Microsoft software licences. I can't develop all that software myself, there's just too much there, so I chose to build on top of Microsoft software.

adimcev -> RE: Doesn't anyone else know this stuff? (2.Feb.2009 4:50:22 AM)
Sure, sure... Just don't get too emotional... You do realize that if you continue like this nobody will take you into serious ?[;)] For your information, there are Layer 2 firewalls and switch-type NIPS, bump in the wire solutions. And for your information, there is a system that does what I've described in one of my above posts. It's just not feasible from many points of view(including costs) for normal people to use such systems. And what you describe, giving full access, physical and so, to a system to a bad admin, your user-mode device drivers as a replacement for the kernel-mode ones are simply useless. If you can't present a real situation on how you can bypass a properly deployed and configured ISA firewall due to its architecture, bugs or vulnerabilities, then I do not see how this forum is appropriate for you to post here with your findings. You may try instead the IETF mailing lists, and come with an RFC or so: http://www.ietf.org/rfc/rfc3093.txt Adrian

SPEnthusiast -> RE: Doesn't anyone else know this stuff? (2.Feb.2009 5:16:52 PM)
Why is my example of "experts" like you charading someone as an ISA Server admin a bad one? I think this happens in many situations. You would pick people that have primarily desktop management experience that don't have the know-how about device drivers for Ethernet NICs and what privileges those drivers enjoy on Windows Server environments. And you charade them as admins, while behind the scenes you come in through to their machines using Layer 2 as a conduit, completely bypassing ISA Server. How can ISA Server protect something when attacks happen underneath the IP layer? All of you - every one of you "experts" on www.isaserver.org will have to be relieved of your formal duties so you can go on social assistance and be rehabilitated, if not thrown into prison for sacrificing innocent people. Simply because you may have been subjected to something like what I've described above doesn't mean that you have to pass such evil on. Take me for example, when such evil comes to me, it meets a dead end. People have a natural tendency to pass evil on, since they think that if it was done to them, its alright to do the same thing to someone else. I guess a lot of people have kids for only this reason, so they can pass evil on to innocent and helpless kids. When InfiniBand emerged on the scene with the native capability to route IPv6, every enterprise, government agency, and non-profit, etc. must and should have chucked Ethernet out the window. Instead, people like you convinced less knowledgeable folks that Ethernet/IPv4 was the better way, since it opened up conduits to kids everywhere that you can rob. This will have to go. www.isaserver.org and everyone charading IPv4 firewalls will have to be relieved of their duties.

SteveMoffat -> RE: Doesn't anyone else know this stuff? (2.Feb.2009 5:19:02 PM)
LOL...you have one case of over ignorance. You don't really have a clue do you??? Is your name Andrew English by any chance??

G Man -> RE: Doesn't anyone else know this stuff? (2.Feb.2009 5:47:58 PM)
"I outlined a solution to all this as early as 1999/2000, but at that time I didn't have a lot of the details on all these problems, so I couldn't argue convincingly that my solution would solve this. I just knew that my IP - actually several IPs - were being stolen, so I put forward a broad strategy without a lot of details. Much of that is not in place yet," Gee, I wonder why that never grew any legs!!!!!!!! As for your statement about charading desktop admins as firewall admins, you obviously have worked in some great places if that's happening. Please don't put us in that basket. I think that is a very long bow to draw to illustrate your point, not a very convincing or relevant one which more or less hurts your overall tone of argument. As for your actual statement, most of us actually prefer to spend time focusing on problems that actually widely occur rather than something that may have happened to you once or twice. I'm also questioning the reasoning for slapping this on an ISA forum? Why bother us? why not some other hardware vendor, or have they not replied to our emails as well!? I get the feeling from some of your posts that you are peddling something, are we supposed to be buying something about now?? If you really want to make a statement or have a discussion can i suggest the best way of doing this in this community may not be 'does anyone else know this stuff' others have tried and failed and have eventually gone back to whatever they do and become a distant memory. Best of luck G

Page: [1] 2 next > >>