[19658] in bugtraq
Re: Cisco PIX Security Notes
daemon@ATHENA.MIT.EDU (Laurent LEVIER)
Thu Mar 15 11:55:51 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <5.0.0.25.2.20010314194124.00ac7400@194.98.103.230>
Date: Wed, 14 Mar 2001 19:42:54 +0100
Reply-To: Laurent LEVIER <llevier@ARGOSNET.COM>
From: Laurent LEVIER <llevier@ARGOSNET.COM>
X-To: Lisa Napier <lnapier@CISCO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <4.3.2.7.2.20010312162455.04db9e70@171.70.24.186>
Lisa,
I also many Pixes under my control. This "Firewall" does not log when it is scanned on its outside interface.
It is considering that someone is attempting access a already PATed session if the targetted port is already busy, and says nothing
if the port is not busy.
This is true from prom 4 to last. So using pix forbids to detect attacks on the device.
At 20:04 12/03/2001 -0800, Lisa Napier wrote:
>Hi Fabio,
>
>Thank you for your detailed analysis, although, we certainly would
>appreciate the opportunity to review this prior to public posting. We
>prefer to minimize misinformation, as it can cause people to make decisions
>based on inaccurate information, which is never a good thing.
>
>We're currently in the process of reviewing your information and verifying
>these issues, but have a few initial comments.
>
>For the item listed as:
>-- Cisco PIX Firewall Logging Feature when firewall is probed.
>
>The PIX enforces that telnet to the outside interface must be IPsec
>protected. The messages indicate that the packets are not IPsec protected
>and are therefore rejected. This is documented in PIX configuration
>guide. PIX generates *at most one* such syslog message per second.
>
>Additionally, for the item listed as:
> -- Cisco PIX Firewall syn flood * EASY DOS WITH PIX
>
>This is a configuration mistake. To activate TCP Intercept in the PIX, use
>a non-zero embryonic limit. The embryonic limit is not enabled in this
>configuration. Additionally, the PIX TCP Intercept feature in the PIX is
>ported from the IOS Firewall version. There should not be differences
>between the functionality of the two implementations.
>
>We are still in the process of analyzing your other statements.
>
>Thanks much,
>
>Lisa Napier
>Product Security Incident Response Team
>Cisco Systems
>
>At 07:32 PM 03/09/2001 +0100, Fabio Pietrosanti (naif) wrote:
>>Working with Cisco PIX Firewall i wrote some note about possible security
>>problem of Cisco PIX .
>>
>>Attached the paper Cisco_PIX_Notes.txt :)
>>
>>
>>--
>>Pietrosanti Fabio I.NET SpA, High Quality Access to the Internet
>>e-mail: naif@inet.it ( Direzione Tecnica, Security Staff )
>> firewall@inet.it
>>PGP Key (DSS) http://naif.itapac.net/naif.asc
>>
>>Home Page URL: http://www.inet.it
>>Sede: Via Darwin, 85 20019 Settimo Milanese (MI)
>>Tel: 02-328631 Fax: 02-328637701
>>--
>>Free advertising: www.openbsd.org - Multiplatform Ultra-secure OS
Laurent LEVIER
IT Systems & Networks, Unix System Engineer
Security Specialist
Argosnet Security Server : http://www.Argosnet.com
"Le Veilleur Technologique", "The Technology Watcher"
