-----BEGIN PGP SIGNED MESSAGE----- This is in response to the mail sent by Michael Thumann and mao. The mail is available at http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0121.html (Weak Cisco Pix Password Encryption Algorithm) When considering the published report one must take the following into the account: *) The password length and quality is very important. Using passwords with ten characters or more will make brute force attack much harder up to the point when they become computational infeasible using the present algorithms and general purpose computers. Using passwords which are not easy to guess, with a mixture of lower and upper case letters and numbers, will make off line dictionary attack much harder. *) This attack is effective only if an attacker can capture the configuration file. In order to prevent interception of the configuration files for the PIX particularly during transfer between devices, customers should review their policies and practices concerning storage and transfer of PIX configuration files. Critical points of review should include firewall management systems and backup procedure (including media and disposal). *) By default PIX will not accept interactive connections on any port except the console port. Even if an attacker possesses the password, an interactive administrative session must be established to the trusted/protected (or externally via IPSEC) interface of the PIX, in order to take advantage of this. Cisco configuration guides recommend explicit and careful configuration of permitted administrative hosts, and default configuration requires the administration hosts to be explicitly configured. *) Users are encouraged to use the local database that uses "salted" passwords. The example of a configuration is present here: username <user> password <secret password> aaa authentication enable console LOCAL Alternatively, users can consider using TACACS+ or Radius for authentication. The practice of having a single, shared enable password should be discouraged in favor of creating a separate usernames with the appropriate privilege level. Additionally, a practice of sharing the same configuration file among multiple PIXes should be reconsidered. For the exact syntax of PIX command consult http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/cmdref/ index.htm -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.3 iQEVAwUBPS7MIA/VLJ+budTTAQFp/QgAnxu9+4lXhtdQ47LW9LY6YOSNBgmh7E2K 5zeuoWFA81w1PawljR4d96eWnVBYktx6L5I6XCpuFYr4/APDSlgHXU6S2MR66tph LfGOJP+V8Bc3f56C14HkJ+1lm4yPr6qOcKDXr9P6uOdqkuQkKa4A8GIgPOvlnmER 72k+ngGkLRN6xifMhFOvlBPHqYmu1BtmWviZPXlu8uIK3eY1snyUZf4y7JqYRFcb WACtRRUMYz4lUwmd0DlTgqLVy9nnw9SxLgBCiM/SqUAMYCddm8I10IiYt5anuFzZ /WetNzXpOmCTFT7XSwaKe1JQ0XGTN6EGBvc6j3vx97Yi1+ps3N6+qQ== =ik/9 -----END PGP SIGNATURE----- ============== Damir Rajnovic <psirtat_private>, PSIRT Incident Manager, Cisco Systems <http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB ============== There is no insolvable problems. The question is can you accept the solution? _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 10:43:20 PDT