[19666] in bugtraq
Re: Cisco PIX Security Notes
daemon@ATHENA.MIT.EDU (Curt Wilson)
Thu Mar 15 13:39:28 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <3.0.2.32.20010314222150.00a2b230@localhost>
Date: Wed, 14 Mar 2001 22:21:50 -0600
Reply-To: Curt Wilson <netw3@NETW3.COM>
From: Curt Wilson <netw3@NETW3.COM>
X-To: Lisa Napier <lnapier@CISCO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <4.3.2.7.2.20010312162455.04db9e70@171.70.24.186>
At 08:04 PM 3/12/2001 -0800, Lisa Napier wrote:
>
>For the item listed as:
>-- Cisco PIX Firewall Logging Feature when firewall is probed.
>
>The PIX enforces that telnet to the outside interface must be IPsec
>protected. The messages indicate that the packets are not IPsec protected
>and are therefore rejected. This is documented in PIX configuration
>guide. PIX generates *at most one* such syslog message per second.
Hi Lisa,
If the packet is not an IPsec packet, and is destined for the telnet
port on the external interface of the PIX, drop the packet and log
"not an IPsec packet". Why does the log limit data in this case when
the details will appear in nearly every other connection? If someone
wants to collect information from syslog, they don't get any details
on these particular connections. Granted, the connection won't get through,
so in a strict sense, case closed. However, why not record the packet
details to keep tabs on what the attackers are attempting? Why
no mention of the incoming IP address, any TCP flags, etc? I suppose
if someone had an IDS outside the PIX, the IDS would catch and
detail the behavior, but for those without an IDS that rely more on
syslog, you don't really get a very granular look at things in
this scenario, at least from what it seems. Please correct me if
I'm missing something.
Sounds like there is no vulnerability, just perhaps skimpy logging;
is there a way to config the pix to log better details when the
FW itself is attacked? Perhaps I should try attacking the fw telnet
port from the outside with an IPSec packet and examine the logging.
Thanks,
Curt Wilson
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
| Curt R. Wilson * Netw3 Consulting * www.netw3.com |
| Internet Security, Networking, PC tech, WWW hosting |
| Netw3 Security Reading Room : www.netw3.com/documents.html |
| Serving Southern Illinois locally and the world virtually |
| netw3@netw3.com 618-303-NET3 |
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
