| Index | Recent Threads | Unanswered Threads | Who's Active | Guidelines | Search |
 |
World Community Grid Forums
Category: Retired Forums
Forum: UD Windows Agent Support [Read Only]
Thread: Checkpoint firewall issue |
| No member browsing this thread |
|
Thread Status: Active Total posts in this thread: 13
|
|
| Author |
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
I'm trying to run the windows agent at work and it does not download the data. It times out. I talked to the firewall guy and he said by default the firewall will block this client because of some security issue and gave me this to read....
BTW: The firewall dude was familiar with this client before I talked to him. He said that some people here at work wanted to run the Grid.org client. That also does not work for this same reason. >>>>>>>>>>>>>>>>>>>>>>>>> CAN-2003-0719 A remote attacker could construct a specially crafted SSL negotiation packet and perform a SSL handshake against a server that uses the SSL library in such a way that could cause the library to crash. One vulnerability lies within a malformed Change Cipher Spec message, another in an excessively large Challenge. SmartDefense Protection: When this protection is enabled, SmartDefense will identify and drop malformed SSL Client Hello packets. >>>>>>>>>>>>>>>>>>>>>>>>>> Is there any way the WCG windows client can be changed/fixed/modified to satisfy the CAN-2003-0719 security hole? Thanks Brink |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
Brink --
----------------------------------------You are looking in the wrong place for a fix. The problem that your firewall guy is addressing is a vulnerability in Microsoft operating systems which has been fixed by patches to the various platforms. According to a US National Institute of Standards and Technology Vulnerability Database Cyber-Alert CVE-2003-0719 (adding key 2003-0719 for WCG searches) the problem is: Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. This exposure was recognized in a Security-Alert published April 13, 2004, by Microsoft along with patches for the affected operating systems. If your shop is up to date in maintenance for your systems, they should all have the appropriate fixes applied and your firewall guy no longer needs to be blocking this type of connection. I would suggest that you print both the Cyber-Alert and the Secruity-Alert that I have linked to (click on the highlighted terms where they appear above) and discuss it with the firewall guy to have him allow the connections if your maintenance levels are up to date. Best regards, [Edit 3 times, last edit by Former Member at Nov 18, 2005 1:28:06 PM] |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
Brink --
I had a futher thought on this and have asked the World Community Grid Tech support folks if the BOINC agent uses the same handshaking protocol as does the UD agent. I will respond here if they answer the question in the private forum they have provided for Community Admins and do not respond here to you. Best regards, |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
Thank you for your help. I will try and persuade the firewall guy to open this up but he is stubborn.
Thanks again, Brink |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
Brink --
----------------------------------------The following are a couple of responses from the World Community Grid technical staff: From Viktors: The protocol Boinc uses is different than the one UD uses. They will have to try it to see what happens. UD does not actually use an https like protocoll even though it is using port 443 which is normally used for this. We have seen some hardware firewall products which seem to insist on this particular protocol on that port. I'm not sure if they can be configured otherwise or if the institutions in question were unwilling to change the configuration. Another from knreed: BOINC uses standard SSL over HTTP (https). It specifically uses the 'libcurl' implementation. Read more about it at http://curl.haxx.se/libcurl/ I would suspect that they would be able to utilize BOINC since BOINC is using a standard protocol (unless the company blocks all https traffic). But as Viktors says - the only way to know for sure is to try it. So, from these responses, it might be worth a try to use the BOINC agent if you can't get the firewall guy to open the connection type. Best regards, [Edit 1 times, last edit by Former Member at Nov 18, 2005 11:13:51 PM] |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
Cool! I will give BOINC a try and see what happens.
I will keep you posted on my findings. Again, thanks for your help. I really appreciate it. Brink -- |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
Cool! I will give BOINC a try and see what happens. I will keep you posted on my findings. Again, thanks for your help. I really appreciate it. Brink -- Great! I am hoping that you will be able to get it rolling using the BOINC software. My guess is that will be easier than getting a security guy to actually look at the problem. My own experience is that once they get something in their mind, it is locked there forever. Good luck and do let us know of your results  Best regards, |
||
|
|
RT
Master Cruncher USA - Texas - DFW Joined: Dec 22, 2004 Post Count: 2636 Status: Offline Project Badges: 
|
---------------------------------------- ---------------------------------------- [Edit 1 times, last edit by RT at Nov 20, 2005 3:28:16 PM] |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
You can change he/she to he. I, Brink, am a He.
Also I have been talking to the firewall dude yesterday via e-amil and he mentioned that port 443 is only for HTTPS and the UD client does not use that with it's "hello" packets and that's the "real reason" why he's in a tizzy. Then he went on a rant about bad programming..bla bla bla. Viktors mentioned the port 443 and HTTPS thing in his earlier post here. You may want to put that on your web page. You also may want to mention that it's the Checkpoint Firewall that's causing my problem. http://www.checkpoint.com/ I will try the windows BOINC client Monday when I get into work. I'll keep y'all posted. -Brink |
||
|
|
Alther
Former World Community Grid Tech United States of America Joined: Sep 30, 2004 Post Count: 414 Status: Offline Project Badges: 
|
Also I have been talking to the firewall dude yesterday via e-amil and he mentioned that port 443 is only for HTTPS and the UD client does not use that with it's "hello" packets and that's the "real reason" why he's in a tizzy. Then he went on a rant about bad programming..bla bla bla. Viktors mentioned the port 443 and HTTPS thing in his earlier post here. You may want to put that on your web page. You also may want to mention that it's the Checkpoint Firewall that's causing my problem. http://www.checkpoint.com/ Yes, it's true that the UD software uses their own security mechanism when communicating with the server. They choose port 443 because most firewalls have that port open to everyone. Unless the firewall inspects the packets to ensure it's SSL traffic, the connection will go through. While this information isn't explicitly stated on our website, there is information about configuring your firewall to allow UD traffic: http://www.worldcommunitygrid.org/help/viewTopic.do?shortName=netconn#69. In short, what this FAQ questions says is that you can configure your firewall to allow connections via port 443 explicitly to the host 'server.worldcommunitygrid.org'. Maybe your firewall guy can put that rule in which will prevent this non-SSL connection from connecting anywhere other than our grid server.
Rick Alther
Former World Community Grid Developer |
||
|
|
|