In response to Juan de la Fuente Costa's bugtraq posting dtd Oct 22, 2002
9:16AM, Sniffing Administrator's Password in Symantec Firewall/VPN
Appliance V. 200R
Message-ID: <005701c279ab$c8bc5730$040110ac@mephisto>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Users inside corporate network (LAN) are able to sniff
administrator's
password by means of ARP poisoning.
To avoid this problem we tried to hardcode administrator's MAC
address
inside firewall's configuratión;
But this was not the solution, as there was possible to perform the
attack under this scenario too.
-------------------------------------snip---------------------------------
--------------------------------------------------------------------------
---------
Symantec Firewall/VPN Appliance Internal LAN Sniffing Issue
Date Reported
October 2, 2002
Risk
Low (on trusted side of appliance)
Affected Versions:
Symantec Firewall/VPN 100 (all firmware versions)
Symantec Firewall/VPN 200 (all firmware versions)
Symantec Firewall/VPN 200R (all firmware versions)
Overview
Symantec is aware of a reported ARP Poisoning issue with Symantec's
Firewall/VPN product reported on the Bugtraq mailing list, (
http://online.securityfocus.com/archive/1/296539/2002-10-19/2002-10-25/0).
Symantec became aware of a potential ARP Poisoning issue that only occurs
on the trusted LAN ports of the affected appliances. This issue could
affect Symantec Firewall/VPN Appliance deployments and could potentially
allow a malicious internal user to use ARP poisoning techniques to
intercept traffic that is intended for the management port.
Details
ARP poisoning attacks are a well-known risk of Ethernet LANs. The attacks
are based on the fact that the ARP protocol, used to provide MAC (physical
address) to IP address (logical address) resolution in an internal
network, is not a secured protocol. There are a number of techniques for
intercepting and snooping traffic on an internal LAN segment. For
example, using a properly crafted spoofed ARP message, a malicious user in
the internal network can carry out a man-in-the-middle attack and
intercept all traffic going to a specific destination. However,
protection from these types of attacks is limited and time consuming to
implement, therefore, most security administrators accept the associated
risk from these types of internal attacks.
Symantec Recommendation
Symantec has determined that the Symantec Firewall/VPN appliances operate
as designed. However, the following procedures can be implemented if a
secure internal remote administration is required.
The Symantec Firewall/VPN Appliances can be remotely managed securely
using IPSEC technology through the outside WAN ports. Symantec recommends
that if ARP poisoning is of concern in your internal environment, you
manage the appliance through a gateway-to-gateway VPN tunnel on the model
100/200/200R or through a client-to-gateway VPN tunnel on the model 200R.
In addition, administrators can use the second WAN port of the 200/200R as
an isolated local management port, thus preventing a rogue internal user
from sniffing the directly connected wire.
To protect against ARP attacks requires a combination of techniques and
tools. For example, there are tools available in the field that will
alert administrators when an ARP request has caused a change in MAC-IP
address entry. These are useful for detecting anomalies, however, they
often require making trade offs in network management - for example, DHCP
must be disabled. Additional protection is sometimes provided natively by
operating systems. Certain Microsoft operating system's will detect a
duplicate IP address on a LAN (an indication of a possible ARP spoof
attack). Others allow you to lock down ARP entries in your ARP table so
that once the table is populated; a rogue system is not able to reset the
ARP entry to another MAC or IP address. Another alternative is to encrypt
all traffic using secured protocols such SSL, SSH, or IPSEC to provide
data confidentiality and data integrity for sensitive communication.
Credit
Symantec takes the security and proper functionality of our products very
seriously. Anyone with information on security issues with Symantec
products should contact symsecurityat_private The Sym Security PGP
key can be downloaded from
http://securityresponse.symantec.com/avcenter/security/publickey/SymSecuri
ty.asc.
Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this Alert electronically is granted as long as
it is not edited in any way unless authorized by Symantec Security
Response. Reprinting the whole or part of this Alert in medium other than
electronically requires permission from symsecurityat_private
Disclaimer:
The information in the advisory is believed to be accurate at the time of
printing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or consequential
loss or damage arising from use of, or reliance on this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity
are Registered Trademarks of Symantec Corp. and/or affiliated companies in
the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole property
of their respective companies/owners.
This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 16:11:17 PDT