ProxySG & Advanced Secure Gateway

 View Only
  • 1.  Newly deployed Broadcom proxy devices still turn on with deprecated NT LAN Manager Version protocol.

    Posted 21 days ago
      |   view attached

    Hi Team,

    Newly deployed Broadcom proxy devices still turn on with deprecated NT LAN Manager Version protocol.

    This protocol generally considered insecure because it uses deprecated cryptography algorithm.

    (i.e. DES, MD4) that is vulnerable to several modes of attacks including pass-the-hash and brute-force attacks.

    Please refer attached image and let me know allow NTLM credentials is checked but greyed out. Whether its in use or not? How to disable it if its in use?



  • 2.  RE: Newly deployed Broadcom proxy devices still turn on with deprecated NT LAN Manager Version protocol.

    Posted 19 days ago

    Hi,
    Disable Kerberos - then NTLM is no longer Gray - and you could disable NTLM. 

    Now to the "Why": afaik - Kerberos works only when the Client has the Proxy-Name konfigured. When you enter the Service-IP of the Proxy (instead of the FQDN of the Proxy-Service-IP) - Kerberos didn't work.
    As Fallback the Proxy would ask the Client to Autenticate with NTLM and yes this ist not good anymore - but even better then Basic, because with Basic Authentication you can see the User and his Password in Cleartext (e.g. in an Packet-Capture).

    So, from my point of view, you should ask: why is Basic Authentication active per default?
    An Authentication with deprecated encryption is even better, then no encryption.

    I assume, that in most companies the Intranet is decleared as safe - so NTLM could be used. But you are right - it should not be used anymore. 

    So: check the Browser Config and disable NTLM and Basic. 
    You will not have an Authentication Fallback, but your environment would be secure. 




  • 3.  RE: Newly deployed Broadcom proxy devices still turn on with deprecated NT LAN Manager Version protocol.

    Posted 19 days ago

    Hi Klaus,

    Thank you for the response.

    As mentioned by you, I have checked in lab as below:
    1. Disabled Kerberos and then it allowed me to disable NTLM.

    2. When I enable Kerberos back, it again automatically enabling NTLM and getting greyed out as per snapshot shared in the first post.

    Please let me know how to disable NTLM only via GUI/ CLI? 
    or any specific firmware version which has this remediation?




  • 4.  RE: Newly deployed Broadcom proxy devices still turn on with deprecated NT LAN Manager Version protocol.

    Broadcom Employee
    Posted 12 days ago

    Hello,

    There is no option to disable NTLM only nor any plan for it in the future. This is a Microsoft driven demand where NTLM is a fallback of Kerberos. If you have a requirement to eliminate NTLM on your network to prevent rainbow table attacks against NTLM hashes, you must eliminate NTLM in your domain controllers and on your clients via GPO and ensuring the client's your users are using use Kerberos only. If the clients cannot use Kerberos and can only use NTLMv2 make sure to keep NTLMv2 enabled on domain controllers. The client to proxy leg of the connection in the authN process is controlled by the client. What I mean by that is that the client chooses which of the 4 protocols it will choose to us (Kerberos, NTLMv2, NTLMv1 or BASIC) in the Proxy-Authorization header directive. The proxy to BCAAA/Domain controller uses Schannel and targets Netlogon service. I worked with a number of customers who as yourself thought to target the proxy to prevent NTLM. Sadly you need to work with the application owners and the AD team and they need to use GPO and review all their code . A "standard" internet user using browsers will be using Kerberos all the time if you have configured it correctly. It is the in house coded solutions/APIs in JAVA, Scala, Python, etc that will be calling some libs that are using BASIC or NTLM directives in proxy authN. Or it will be things like GitHub, AWS Cli, and other 3rd party API clients that need to be configured to not use BASIC (devs favourite due to it's simplicity) or NTLM.

    -Jan