RE: Authentication Vulnerability in NetScreen ScreenOS

From: Brian Soby (tmpbox5at_private)
Date: Thu Jun 26 2003 - 10:37:53 PDT

Next message: Paul Starzetz: "[Full-Disclosure] Linux 2.4.x execve() file read race vulnerability"

Previous message: franck dunter: "BEFSR81 SNMP Community String Information Disclosure Vulnerability"
Maybe in reply to: HedgeHog: "Authentication Vulnerability in NetScreen ScreenOS"
Next in thread: Hugo van der Kooij: "RE: Authentication Vulnerability in NetScreen ScreenOS"
Reply: Hugo van der Kooij: "RE: Authentication Vulnerability in NetScreen ScreenOS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>However, after a user is authenticated, anyone else may also access the 
>protected services if they orginate from the same source IP address (NAT'd 
>network). The authentication mechanism is designed to authenticate based on 
>source-ip address only.

Most firewalls track authenticated users based on the client's source IP 
address.  If you need a stronger method, you could always use the Netscreen 
Remote client software and require a secure tunnel from the clients to get 
to your protected resources.

-Brian Soby

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail

Next message: Paul Starzetz: "[Full-Disclosure] Linux 2.4.x execve() file read race vulnerability"
Previous message: franck dunter: "BEFSR81 SNMP Community String Information Disclosure Vulnerability"
Maybe in reply to: HedgeHog: "Authentication Vulnerability in NetScreen ScreenOS"
Next in thread: Hugo van der Kooij: "RE: Authentication Vulnerability in NetScreen ScreenOS"
Reply: Hugo van der Kooij: "RE: Authentication Vulnerability in NetScreen ScreenOS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 26 2003 - 11:19:18 PDT