[isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
- From: "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 22 Mar 2007 23:50:41 -0000
You should meet some of my customers here in the UK!!! :-P
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: 22 March 2007 20:48
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Penetration Test - SSL Weak Cipher False
Positive
I do - my day wouldn't be complete without them...
:-p
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Thursday, March 22, 2007 8:33 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Penetration Test - SSL Weak Cipher False
Positive
I know how you like my specious arguments ;-)
Valid points and just my usual "what if" thinking aloud comments - I had
just assumed ISA didn't defer SSL to the OS and used some ISA specific
crypto by now, but just my ignorance I guess.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: 22 March 2007 14:40
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Penetration Test - SSL Weak Cipher False
Positive
Yep - ISA (rightly) defers to Windows for all encryption. Schannel is
the heart of Windows cryptographic mechanisms - There are folks with
multiple advanced mathematics degrees that wouldn't tackle this task.
It's very much a place where you most definitely don't want unqualified
people mucking about.
No offense, but "What happens if .." is a specious argument - on that
basis, any underlying OS mechanism creates a potential vulnerability for
ISA and should be redesigned by the firewall developers.
The ISA kernel mode driver is a stateful TCP/IP packet filter; period.
Layers 3 & 4. IP addresses & transports/ports. Schannel is an
application API often referred to loosely as CAPI. Layers 5 & up.
You're confusing "ISA protects the underlying OS from network-based
attacks" with "ISA can filter traffic based on any part of any network
communication". The second part just ain't true of any firewall.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Thursday, March 22, 2007 1:35 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Penetration Test - SSL Weak Cipher False
Positive
Thanks Jim - so the ISA SSL listener is handed off to the OS and
Schannel.dll then?
Surprised ISA doesn't have it's own. What happens if there is a
vulnerability in this dll then as I thought the OS was protected by the
ISA kernel mode driver?
Cheers for the feedback...
For those interested, the cipher restriction article is
http://support.microsoft.com/?kbid=245030
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: 22 March 2007 01:28
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Penetration Test - SSL Weak Cipher False
Positive
ISA doesn't control this; Windows does.
The registry changes to limit SSL ciphers are the right answer.
The only choice you get with ISA is to require 128-bit SSL or not; the
only thing this affects about the choice of cipher suite is
(whodathunkit) the minimum cipher length.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Wednesday, March 21, 2007 5:30 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA Penetration Test - SSL Weak Cipher False Positive
Hi All,
After seeing a few ISA security or penetration tests a few times
recently, a common theme relating to weak SSL ciphers is appearing. The
first time this was reported by a customer, I contacted PSS who
explained that the issue was due to the fact that the operating system
would negotiate SSL at a low cipher strength irrespective of ISA and
that ISA would drop all weak cipher traffic if the "use 128 bit
encryption" option was enabled on the web listener. E.g. you *can*
negotiate a low cipher, but ISA will drop traffic that does not meet 128
bit. The 'SSL digger' tool is an example of how to generate the false
positive.
PSS provide a KB of how to configure the OS to only allow specific
ciphers, but this is pretty full on and includes some hardcore registry
changes. Not all customers have been keen to make these changes to pass
the tests.
Does anyone know if MS plans to create a KB to explain this false
positive when using ISA? If not, can someone suggest it is created to
provide customers with an explanation.
I am managing to convince most customers, but a few have asked for a
written response from Microsoft to confirm the issue is indeed a false
positive and not a legitimate issue.
Any help appreciated...
JJ
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
