On Fri, 21 Jan 2000, root wrote: > #1 > The basic authentication used in Checkpoint FW-1 used for > inside/outbound and outside/inbound allows unlimited attempts to > authenticate without a timeout or disconnect between unsuccessful > attempts. To make matters worse, the attempt at authentication will let > you know if you have the wrong username before you are allowed to enter > in the passsword. > > The exploit is trivial, grind away at user names until you hit one that > works and then grind away at passwords with the username you just found > until you find one that works. > > For an example of this, set authentication on the FW-1 software to > authenticate telnet connections. Telent to a destination past the > firewall, when prompted for a username, pound away. A script could > crack the authentication in a very short time. > > The workaround is to use Checkpoint's encrypted authentication program > "SecuRemote" and not allow clear text authentication (browser based, > telnet, etc.) to destinations beyond the firewall. In 4.0 this is the same (and 4.1?). another solution is to use one-time-passwords or generally token based passwords like SecurID (but the session should additional make use of securemote due to preventing man-in-the-middle attacks). SecuRemote alone does not prevent from guessing the username - it only encrypts and authenticate your session. With VPN-1 4.0 and SecuRemote I get an different error-message if I either use a wrong username or a wrong password. So you always could guess usernames (this is maybe only restricted to FWZ and not to IKE - I don't know) > #2 > The default configuration in FW-1 allows for rlogin management of the > server. The rlogin prompt is avaialable on all NICs. Unless a rule is > placed in your ruleset to drop or reject all connections to the > firewall, the authentication problem above can be used to remotely > administer someone elses firewall without them knowing. > > The workaround is to include the rule. > Isn't this one of the implicit rules? For security I would prefer to disable all implicit rules (another one is to allow all outgoing packets originated to the firewall - or to allow all icmp-traffic) yours sincerely M. Hofmann =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Markus Hofmann Phone: +49 170 2848250 St. Urbanusstr. 15 Fax: +49 9371 2032 E-Mail: hofmannat_private 63927 Buergstadt SMS-Mail: smsat_private (Only Subject) Germany PGP-Keys: look at http://www.hofmar.de --------------------------------------------------------------------- Only written with 100% recycleable electrons!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:30:43 PDT