root wrote: > The workaround is to use Checkpoint's encrypted authentication program > "SecuRemote" and not allow clear text authentication (browser based, > telnet, etc.) to destinations beyond the firewall. But you can still authenticate to the firewall, using SecuRemote - and have unlimited number of tries. FW-1 will let you know if username exists or not. It was tested with V4.0. > #2 > The default configuration in FW-1 allows for rlogin management of the > server. The rlogin prompt is avaialable on all NICs. Unless a rule is > placed in your ruleset to drop or reject all connections to the > firewall, the authentication problem above can be used to remotely > administer someone elses firewall without them knowing. To be honest, I don't think there is a 'default' configuration of Firewall-1. I am not a FW-1 reseller, and I can not say if there are any 'procedures' that resellers are supposed to follow, but so far I've seen few completely different setups of FW-1 (on Solaris). One machine was completely 'stripped down', another one had few rpc services running while some other one had absolutelly *everything* running. From the outside, you can't do anything, so it's not such big deal, but once you manage to get in internal network - it is piece of cake to 'own' a Firewall-1 box. Not because of Firewall-1 vulnerabilities, but because of Solaris bugs and bad firewall rules (admin not barring access to fw from internal network). I don't think it is a Firewall-1 problem (the problem #2); it's more of a sysadmin problem Very good document about stripping Solaris can be found at: http://www2.checkpoint.com/~joe/strip-sunserver.txt You can find some other interesting documents there as well. http://www2.checkpoint.com/~joe/ -- Vanja Hrustic SAFER Editor SAFER - free monthly security newsletter Subscriptions at http://safer.siamrelay.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:55 PDT