[19612] in bugtraq
Re: Cisco PIX Security Notes
daemon@ATHENA.MIT.EDU (Curt Wilson)
Mon Mar 12 14:11:35 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <3.0.2.32.20010312021351.00a0d910@localhost>
Date: Mon, 12 Mar 2001 02:13:51 -0600
Reply-To: Curt Wilson <netw3@NETW3.COM>
From: Curt Wilson <netw3@NETW3.COM>
X-To: "Fabio Pietrosanti (naif)" <naif@INET.IT>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010309193241.V3690@inet.it>
At 07:32 PM 3/9/2001 +0100, Fabio Pietrosanti (naif) wrote:
>Working with Cisco PIX Firewall i wrote some note about possible security
>problem of Cisco PIX .
>
>Attached the paper Cisco_PIX_Notes.txt :)
>
I also noticed the "received packet is not an IPSec packet" logging issue
when attacking the IP address of the PIX firewall itself with a variety
of tools. We don't have a VPN configured at our site, but did an upgrade
from PIX 4.6(2) (if I remember correctly) to 5.1(2) and in our case,
an ISAKMP element was automatically added to the config, I think
it's "isakmp identity hostname" but other than that, I don't see why the
FW is expecting an IPSec packet since we don't have any of the VPN functions
enabled. Our PIX is set to "logging buffered debugging" to get an exhaustive
logging trace with as much details as possible from it's syslog. Still,
the FW itself does not seem to respond fully to all packets delivered to it's
external interface, showing "received packet is not an IPSec packet" only some
of the time. It seems that the PIX (at least 5.1(2)) just checks if packet
is IPSec, if not, send generic error. This obviously delivers no information
to those monitoring syslog, and if you don't have an IDS placed just right
and someone is only attacking the firewall itself, your logs don't mean
a thing since you see no packet data.
I reported this logging issue to cisco security several months ago, but
at the time they were dealing with the mailguard problem and didn't take
any action (that I am aware of).
For more information on this please see some of my PIX attack patterns
research posted to SANS GIAC a while back:
http://www.sans.org/y2k/110300.htm
Curt Wilson
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
| Curt R. Wilson * Netw3 Consulting * www.netw3.com |
| Internet Security, Networking, PC tech, WWW hosting |
| Netw3 Security Reading Room : www.netw3.com/documents.html |
| Serving Southern Illinois locally and the world virtually |
| netw3@netw3.com 618-303-NET3 |
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
