Internet Security and Acceleration Server 2000 with Service Pack 1 Audit. An analysis by Foundstone, Inc.

Transcription

1 Internet Security and Acceleration Server 2000 with Service Pack 1 Audit An analysis by Foundstone, Inc.

2 Internet Security and Acceleration Server 2000 with Service Pack 1 Audit This paper presents an overview of a security assessment conducted by Foundstone, Inc. of Microsoft Internet Security and Acceleration (ISA) Server 2000 after the addition of Service Pack 1 (SP1). This is the second security assessment of ISA Server 2000 performed by the experts at Foundstone. The initial audit was completed in February 2001, prior to the public release of the first version of ISA Server Foundstone conducted the current audit in the months preceding the public release of SP1 on 15-Feb-02. Foundstone s comprehensive product testing methodologies employed an array of security penetration techniques, commercial-grade stress testing and monitoring, and Foundstone s custom toolkit based on its FoundScan technology. Foundstone s analysis showed that SP1 improves the already solid security of ISA Server Foundstone is confident that ISA Server 2000 properly configured is an effective firewall in enterprise environments. Microsoft continues to subject ISA Server 2000 to regular audits by Foundstone, demonstrating the company s ongoing commitment to improving product security.

3 TABLE OF CONTENTS Introduction 1 Scope and Objectives 2 Background 4 Solution 5 Conclusion 6 Resources 7

4 Introduction Foundstone has conducted independent security evaluations for ISA Server 2000 since the product s initial release in late Foundstone s most recent audit, performed in late 2001, evaluated the ISA Server 2000 Service Pack 1 (SP1) update to the original product. Spanning more than 250 man-hours, the SP1 review involved a dedicated security team from Foundstone, including Joel Scambray, the author of Hacking Exposed Windows During the audit, Foundstone had full access to the ISA Server 2000 product and development teams. The Foundstone and ISA Server 2000 teams met weekly to discuss the assessment s progress. The audit employed Foundstone s product testing methodologies, which include the most up-to-date security tools and penetration techniques. Foundstone designed its ISA Server 2000 testing to circumvent selected network access control features and gauge SP1 s resistance to a denial-of-service (DoS) attack that would render a typical deployment inoperable. This whitepaper focuses on Foundstone s assessment of the enhanced security offered by SP1. It is based on test results and the ongoing communication between Foundstone and the ISA Server 2000 development team Foundstone, Inc. All Rights Reserved 1

5 Scope and Objectives Foundstone s testing concentrated on the following features of ISA Server 2000 with SP1: Firewall Packet Filtering Application Filters SMTP HTTP Redirector POP Intrusion Detection DNS Intrusion Detection Web Publishing Intrusion Detection IP Spoofing Port Scanning Web Proxy Web Caching Management Policy Control Logging Reporting Alerts Foundstone also retested findings from its previous audit of SP1 and analyzed published SP1 vulnerabilities. Foundstone installed and configured ISA Server 2000 to simulate a real world Internet-connected environment. The product ran on a PC with dual 733Mhz Intel Pentium III CPUs, 512MB of RAM, Windows 2000 in integrated mode, including the H.323 gateway and the Message Screener. The cache size was 5GB. Intrusion detection, logging of allow packets, and IP routing were also enabled. Foundstone configured Internet Information Services (IIS) to use port 81 and IISAdmin to not use port This prevented conflicts with standard ISA Server 2000 proxy ports of 80 and SP1 installation completed the setup. Foundstone then applied its standard test methodologies, focusing on vulnerabilities and exploits present in real world environments. The first test was full network discovery and vulnerability scans of all available interfaces. Foundstone identified and analyzed all listening TCP and UDP services for vulnerabilities Foundstone, Inc. All Rights Reserved 2

6 For portions of this testing, Foundstone utilized FoundScan, a vulnerability assessment and remediation tool developed by Foundstone. FoundScan remotely examines networks, databases, servers, off-the-shelf applications, and even custom web applications for vulnerabilities. Foundstone also performed a battery of firewall allowed traffic checks. These tests employ dozens of known techniques for bypassing IP packet filters, exploits which specifically target firewall products such as ISA Server Network protocol analysis helped identify potential security issues arising from session captures, replay attacks, and credential harvesting via product communications. After cataloging all product input facilities, Foundstone tested for buffer overflows using a looping, incremented test harness based on its NTOMax stress-testing tool. Foundstone also performed additional input validation testing using manual techniques. Finally, Foundstone attempted to subvert product functionality through software fault injection and various unauthorized or inappropriate activities. Although remote network penetration was its primary focus, Foundstone also attempted local exploitation and privilege escalation where appropriate Foundstone, Inc. All Rights Reserved 3

7 Background: Testbed Instrumentation Foundstone uses internally developed custom hacking tools, including commercial-grade network eavesdropping devices, a diverse range of network and system-level software probes, and libraries of known exploit code covering popular applications and operating systems. During ISA Server 2000 testing, Foundstone logged all appropriate trans-firewall communications on both internal, perimeter, and external networks. To provide external confirmation and verification of its observations, Foundstone analyzed packet-level decodes both automatically and manually. Foundstone also continually monitored product performance to note any abnormal behavior Foundstone, Inc. All Rights Reserved 4

8 Solution: Findings & Recommendations At the conclusion of testing, Foundstone provided a detailed report to Microsoft that included specific results, recommendations, and supporting test data. Findings highlighted ISA Server 2000 s many robust security features and recommended areas for improvement. The ISA Server 2000 development team promptly took action to improve the product and resolve concerns discovered during testing. Recommendations included: Tightening of default internal interface security Minor improvements to logging Web proxy HTTP caching Web publishing features Foundstone also noted that ISA Server 2000 s packet filters are adequately sealed against common packet manipulation attacks Foundstone, Inc. All Rights Reserved 5

9 Conclusion In February 20, 2002, ISA Server 2000 celebrated its one year anniversary and the release of SP1. Based on Foundstone s assessment of SP1, the ISA Server 2000 team made several improvements to the product s security features. Additionally, Microsoft demonstrates its ongoing commitment to ISA Server 2000 security by submitting the product to periodic security audits of new Service Packs and updated versions. Foundstone is confident that ISA Server 2000 with SP1 competes well with other established products in its market. Security is a critical concern in the high-tech world. With its focus on security products such as ISA Server 2000 and its willingness to submit its products to outside technical review, Microsoft has demonstrated a strong commitment to improving enterprise-level security. Since ISA Server 2000 s initial release, Microsoft has made independent technical review of the product a top priority. Foundstone looks forward to performing additional assessments. Foundstone also notes that Microsoft has integrated independent security reviews with customer feedback to further enhance its products. SP1 adds significant improvements to the initial release of ISA Server 2000, for instance. Enhanced security features include: Improved stability Fixes for common issues reported through Microsoft Product Support Services (PSS) Fixes that allow operation within the Windows.NET Server Family Improvements in SSL publishing of Outlook Web Access (OWA) Server publishing improvements Rollup of previous patches Foundstone remains confident that Microsoft will deliver on its commitment to ISA Server 2000 security, as well as making security a top priority across its product line Foundstone, Inc. All Rights Reserved 6

10 Resources Foundstone ISA Server 2000 Home ISA Server 2000 Technical Overview ISA Server 2000 Service Pack 1 ISA Server Resource Site Foundstone, Inc. All Rights Reserved 7