RE: Firewall-1 Information leak

From: David Sexton (dave.sextonat_private)
Date: Fri Jul 20 2001 - 07:01:12 PDT

Next message: Patrick Medhurst: "IBM TFTP Server for Java vulnerability"

Previous message: Bragg Michael (npl1mcb): "RE: Mitigating some of the effects of the Code Red worm"
Maybe in reply to: Haroon Meer: "Firewall-1 Information leak"
Next in thread: MALIN, ALEX (PB): "RE: Firewall-1 Information leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That's not the only way to do it. An 'authenticated' connection can download
the topology data. However, the authentication needed for this to work is a
shared secret or certificate as defined in the 'IKE' properties for the user
(i.e. you can't use things like SecurID for this bit) Once you've got the
topology, there's nothing stopping you re-authenticating with a normal
authentication method. 

We do this with a seperate account set up purely for topology downloads.
This account does not have any access to the network via the rulebase.

Checkpoint have a couple of documents available on how to set this up, they
are not that hard to find, searching for 'unauthenticated topology downlads'
in the Checkpoint knowledge base should do the trick.

	Regards,

Dave

> -----Original Message-----
> From:	Bugtraq Account [SMTP:bugtraqat_private]
> Sent:	19 July 2001 23:02
> To:	Haroon Meer
> Cc:	bugtraqat_private
> Subject:	Re: Firewall-1 Information leak
> 
> On Wed, 18 Jul 2001, Haroon Meer wrote:
	[David Sexton]  <snip> 

> This is a well-known, and generally accepted, risk associated with running
> FWZ SecuRemote VPN's to FireWall-1.  As others have already commented, it
> is possible to turn off unauthenticated topology downloads through the
> policy properties.  If you do this, you will need to manually distribute a
> userc.C file (containing the topology information) to all of your
> secuRemote users.  This file should be loaded into the
> c:\winnt\fw\database directory on the client.
	[David Sexton]  </snip> 

-----------------------------------------------
Any opinions expressed in this message are those of the individual and not necessarily the company.  This message and any files transmitted with it are confidential and solely for the use of the intended recipient.  If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited.

Sapphire Technologies Ltd
http://www.sapphire.net

Next message: Patrick Medhurst: "IBM TFTP Server for Java vulnerability"
Previous message: Bragg Michael (npl1mcb): "RE: Mitigating some of the effects of the Code Red worm"
Maybe in reply to: Haroon Meer: "Firewall-1 Information leak"
Next in thread: MALIN, ALEX (PB): "RE: Firewall-1 Information leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 08:01:50 PDT