On Fri, 21 Jan 2000, root wrote:
> #1
> The basic authentication used in Checkpoint FW-1 used for
> inside/outbound and outside/inbound allows unlimited attempts to
> authenticate without a timeout or disconnect between unsuccessful
> attempts. To make matters worse, the attempt at authentication will let
> you know if you have the wrong username before you are allowed to enter
> in the passsword.
>
> The exploit is trivial, grind away at user names until you hit one that
> works and then grind away at passwords with the username you just found
> until you find one that works.
>
> For an example of this, set authentication on the FW-1 software to
> authenticate telnet connections. Telent to a destination past the
> firewall, when prompted for a username, pound away. A script could
> crack the authentication in a very short time.
>
> The workaround is to use Checkpoint's encrypted authentication program
> "SecuRemote" and not allow clear text authentication (browser based,
> telnet, etc.) to destinations beyond the firewall.
In 4.0 this is the same (and 4.1?). another solution is to use
one-time-passwords or generally token based passwords like SecurID (but
the session should additional make use of securemote due to preventing
man-in-the-middle attacks). SecuRemote alone does not prevent from
guessing the username - it only encrypts and authenticate your session.
With VPN-1 4.0 and SecuRemote I get an different error-message if I either
use a wrong username or a wrong password. So you always could guess
usernames (this is maybe only restricted to FWZ and not to IKE - I don't
know)
> #2
> The default configuration in FW-1 allows for rlogin management of the
> server. The rlogin prompt is avaialable on all NICs. Unless a rule is
> placed in your ruleset to drop or reject all connections to the
> firewall, the authentication problem above can be used to remotely
> administer someone elses firewall without them knowing.
>
> The workaround is to include the rule.
>
Isn't this one of the implicit rules? For security I would prefer to
disable all implicit rules (another one is to allow all outgoing packets
originated to the firewall - or to allow all icmp-traffic)
yours sincerely
M. Hofmann
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Markus Hofmann Phone: +49 170 2848250
St. Urbanusstr. 15 Fax: +49 9371 2032
E-Mail: [EMAIL PROTECTED]
63927 Buergstadt SMS-Mail: [EMAIL PROTECTED] (Only Subject)
Germany PGP-Keys: look at http://www.hofmar.de
---------------------------------------------------------------------
Only written with 100% recycleable electrons!
