[8340] in bugtraq
Firewall-1 insecurity.
daemon@ATHENA.MIT.EDU (Darren Reed)
Fri Oct 30 14:51:21 1998
Date: Thu, 29 Oct 1998 21:40:20 +1100
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <m1br9vtubfm.fsf@blackbird.mitre.org> from "David S. Goldberg" at
Oct 27, 98 01:06:21 pm
Sigh, the "Security Policy" properties page is (largely) a farce. It will
not matter if you can "see them". The fundamental problem is that they
are "global" rules for services and that cannot be changed - i.e. allowing
(for example) "Domain Name Download (TCP)" is like a rule which reads
"Any Any domain-tcp accept - Gateways Any".
The only reasonable thing you can do is disable the following:
Accept Firewall-1 Control Connections
Accept UDP replies
Accept RIP
Accept Domain Name Queries (UDP)
Accept Domain Name Download (TCP)
Accept ICMP
I haven't made the time to determine the effect of toggling "Accept
Outgoing Packets" or whether that can be moderated by toggling the
"Apply Gateway Rules to Interface Direction" to "Eitherbound".
Why it doesn't properly configure itself for "Accept Firewall-1
Control Connections" is bewildering given the file with a list of
master/clients. A case of "almost" but not quite - something you'd
hope not to find in the maker of the world's most popular and
perhaps with the world's worst default configured firewall.
The only difference doing the above makes is that you need to add a
few rules to properly add in FW-1 control, appropriate rules for DNS
and setup bi-directional rules for UDP services.
I've not looked at how the "Router Access Lists" page of checkboxes impacts
on rules generated for (I presume) Ciscos, which is another potential source
of trouble.
Darren
p.s. I'd suggest that anyone who has knowingly installed FW-1 for a client
with services such as DNS enabled give their respective clients a free
security upgrade of their firewall so that they can fix their own mistake.