Alfonso Lazaro wrote: > > I have found a misconfiguration in the default configuration > of Watchguard Firewall. > > By default it appends a rule that it accepts pings from any to any. > > So if our firebox is defending our internal network > ( 192.168.x.x ... ) and our WG Firewall is a proxie with an external > ip in internet ( 100.100.100.100 hipotetic ip address ) the atacker > can change his/her routes like so : > > # route add -net 192.168.0.0 netmask 255.255.255.0 gw 100.100.100.100 > > # ping 192.168.1.1 Not to detract from the security implications of allowing echo-request inbound unchecked, but in most cases the above would be of little use. Every router between the attacker and the WatchGuard firewall would need to be configured to point 192.168.0.0 towards the firewall, something that is not going to happen per the RFC's (unless the attacker also compromises each router along the link). The above attack pattern would only be useful in the following situation: 1) The attacker can source route inbound traffic 2) The protected network is actually legal, routed address space 3) The attacker gains access to the wire between the firewall & the Internet router If #1 works, shame on you. If #3 works, you have bigger problems than ICMP through the firewall. ;) Cheers, Chris -- ************************************** cbrentonat_private * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:41 PDT