Monday, May 14, 2007

Top 5 reasons why i would like to implement ISA Server 2006 as my outgoing proxy/firewall

1. ISA Server is the ONLY FIREWALL THAT I KNOW today that supports authentication for almost all WINSOCK compliant protocols if you use Windows Operating System.

2. ISA Server stores frequently used caches in memory

3. ISA Server contain out of the box a bunch of application layer filters (http, ftp, smtp, rdp...). Furthermore, if you're kiasu for more, write the filters yourself

4. ISA Server support Cache Array Routing Protocol, Backgroung Intelligent Transfer Service, and HTTP Compression

5. ISA Server works great with Active Directory, Radius, LDAP (running AD), RSA etc.

Sunday, May 13, 2007

Multiple Vulnerabilities with Cisco's PIX and ASA

There's a possible bypass for authentication when LDAP is used for Chap/MsChap in Cisco's VPN. An attacker can access your internal network without providing authentication at all.

This is quite serious to those running LDAP on PIXes and ASAes.

So far, as i can remember it, when comparing ISA Server and Cisco's firewalls, ISA Servers have no single type of serious attacks like this on it by far. Go ISA Server!

Refs: http://www.sans.org/newsletters/risk/display.php?v=6&i=19&rss=Y#widely3
http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml

Saturday, May 12, 2007

ISA server's incoming vs outgoing IP (and SMTP Reverse Lookup)

Ok, lets start making it clear who the initiator (SRC) and receiver (DST) are. SRC is the person/computer who wants to talk to you and makes the first attempt to do so. Receiver is the person who will either respond to the attempt made by the SRC or just ignore it.

Now, in ISA, please remember that outgoing IPs are ALWAYS the first external IP of the NIC (if you perform NAT from source internal to external). This is true only in a scenario where ISA is the final hop to reach the internet.

ISA manages outgoing requests through PAT (port address translation) but when it comes to incoming requests such as a published webserver etc, ISA can be reached on any external IPs which you specify in the Wizard.

So in short, if the SRC is internal and the DST is external, ISA will use it's first external IP address and, if the SRC is external and the DST is internal, and if you have a corresponding rule/listener, ISA will accept incoming connections using that IP you specify in the wizard.

This is especially important if you performing reverse dns settings esp for SMTP MX servers. Always to remember to register your ISA's first external IP along with your actual SMTP IP as your reverse DNS settings. Otherwise, your org's email can identified as a potential SPAMMER by reverse lookup checks done by SMTP engines.

URGENT! - Serious security flaws with all Microsoft Exchange versions

In a recent ISA Server 2006 Level 400 class, we discussed a vulnerability on Exchange server that could lead to remote code execution. The particular remote attack is listed in CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0213 and rated high in it's severity. If you have customers or run Exchange of all version, check out the article from Microsoft.

This vulnerability and other not so critical ones are described in MSKB 07-026 (http://www.microsoft.com/technet/security/bulletin/ms07-026.mspx). Apply the fixes stated in article immediately, as highest priority.

REMEMBER, PLEASE TAKE THIS MATTER SERIOUSLY, REMOTE CODE EXECUTION=TOTAL CONTROL OF YOUR EXCHANGE BOX. If you run a domain controller on top of that box, the risks are even higher.

Thursday, May 3, 2007

Vulnerabilities on Quicktime and Asterisk

Was doing some reading on my frequently accessed security page, SANS and found these two vulnerabilities that should be of mention.

These two software i use well, often, like Quicktime (for my ITunes) and Asterisk (for my mobile VoIP support).

Quicktime- A vulnerability that allows a an exploit on Windows and Mac machines that have Java and Apple Quicktime installed. This exploitation allows code execution and has been categorized as HIGH alert by SANS institution. Apple has not made a fix but recommends a workaround, yea you guessed it, disable Java on your browser.

Asterisk - There's multiple exploits on the Asterisk box with T38 fax function installed on Asterisk opensource PBX. This exploitation allows code execution and has been categorized as HIGH alert by SANS institution. Successfully exploiting this vulnerability will buffer overflow this fax module on Asterisk and can allow an attacker to execute code running the same process as Asterisk is. Asterisk has confirmed this bug and has provided a fix.

Fring Me (Asterisk and Nokia Symbian special mention)


Here's a piece of software i must blog about, its called Fring. I just got a Nokia N80 recently and of course, i wanted to stuff the phone like what we did to the turkey in Christmas, but with software. The company i work for specializes also in VoIP technology and it was quite difficult to get the N80 to "talk" to Asterisk at first, but eventually got it working.

Nonetheless, i found this very exciting new software (still in beta) called Fring. It combines the capability of VoIP in SIP and other P2P/IM software like GoogleTalk, MSN and Skype. All in one tiny piece of excellent codes.

Currently, it only supports Nokia (Symbian). The best part of it all, its real easy to setup and use. It has all the basic needs for a simple text messaging to voice calls right from your mobile. I did a test with Marco the night i installed it and connected it to my WiFi and the sound quality is pretty decent (i called Marco using MSN). I then tested registering Fring to my SIP UDP Asterisk rental business box and it worked like a charm first time :).

Ok, here are the top ten things i like about Fring:
  1. Supports Asterisk (or any IPPBX that supports SIP - UDP)
  2. Supports WiFi
  3. Works great (stable) on my Nokia N80
  4. Works just superbly with MSN, Skype and GoogleTalk
  5. Simple, straight forward registration (they're nice enough to send you an SMS on how to install straight onto your phone)
  6. Combines all your contacts from the supported services/providers above into one single list
  7. You CAN connect to normal landlines and/or mobile phones
  8. Their ICON
  9. Its FREE
  10. Best of all, the voice quality is very decent (and the IM texts are crisp clear :P ), no lags and echoes on most occasions
Download and install now: http://www.fring.com | http://www.fring.com/download/