In response to Juan de la Fuente Costa's bugtraq posting dtd Oct 22, 2002
9:16AM, Sniffing Administrator's Password in Symantec Firewall/VPN
Appliance V. 200R
Message-ID: <005701c279ab$c8bc5730$040110ac@mephisto>
                                                                            
                                                                            
                                                                            
 -----BEGIN PGP SIGNED MESSAGE-----                                         
 Hash: SHA1                                                                 
                                                                            
 Users inside corporate network (LAN) are able to sniff                     
 administrator's                                                            
 password by means of ARP poisoning.                                        
                                                                            
 To avoid this problem we tried to hardcode administrator's MAC             
 address                                                                    
 inside firewall's configuratión;                                           
                                                                            
 But this was not the solution, as there was possible to perform the        
 attack under this scenario too.                                            
                                                                            
 -------------------------------------snip--------------------------------- 
 -------------------------------------------------------------------------- 
 ---------                                                                  
                                                                            
 Symantec Firewall/VPN Appliance Internal LAN Sniffing Issue                
                                                                            
 Date Reported                                                              
 October 2, 2002                                                            
                                                                            
 Risk                                                                       
 Low (on trusted side of appliance)                                         
                                                                            
 Affected Versions:                                                         
 Symantec Firewall/VPN 100 (all firmware versions)                          
 Symantec Firewall/VPN 200 (all firmware versions)                          
 Symantec Firewall/VPN 200R (all firmware versions)                         
                                                                            
                                                                            
 Overview                                                                   
 Symantec is aware of a reported ARP Poisoning issue with Symantec's        
 Firewall/VPN product reported on the Bugtraq mailing list, (               
 http://online.securityfocus.com/archive/1/296539/2002-10-19/2002-10-25/0). 
 Symantec became aware of a potential ARP Poisoning issue that only occurs  
 on the trusted LAN ports of the affected appliances. This issue could      
 affect Symantec Firewall/VPN Appliance deployments and could potentially   
 allow a malicious internal user to use ARP poisoning techniques to         
 intercept traffic that is intended for the management port.                
                                                                            
 Details                                                                    
 ARP poisoning attacks are a well-known risk of Ethernet LANs.  The attacks 
 are based on the fact that the ARP protocol, used to provide MAC (physical 
 address) to IP address (logical address) resolution in an internal         
 network, is not a secured protocol.  There are a number of techniques for  
 intercepting and snooping traffic on an internal LAN segment.  For         
 example, using a properly crafted spoofed ARP message, a malicious user in 
 the internal network can carry out a man-in-the-middle attack and          
 intercept all traffic going to a specific destination.  However,           
 protection from these types of attacks is limited and time consuming to    
 implement, therefore, most security administrators accept the associated   
 risk from these types of internal attacks.                                 
                                                                            
 Symantec Recommendation                                                    
                                                                            
 Symantec has determined that the Symantec Firewall/VPN appliances operate  
 as designed. However, the following procedures can be implemented if a     
 secure internal remote administration is required.                         
 The Symantec Firewall/VPN Appliances can be remotely managed securely      
 using IPSEC technology through the outside WAN ports.  Symantec recommends 
 that if ARP poisoning is of concern in your internal environment, you      
 manage the appliance through a gateway-to-gateway VPN tunnel on the model  
 100/200/200R or through a client-to-gateway VPN tunnel on the model 200R.  
 In addition, administrators can use the second WAN port of the 200/200R as 
 an isolated local management port, thus preventing a rogue internal user   
 from sniffing the directly connected wire.                                 
                                                                            
 To protect against ARP attacks requires a combination of techniques and    
 tools.  For example, there are tools available in the field that will      
 alert administrators when an ARP request has caused a change in MAC-IP     
 address entry.  These are useful for detecting anomalies, however, they    
 often require making trade offs in network management - for example, DHCP  
 must be disabled.  Additional protection is sometimes provided natively by 
 operating systems. Certain Microsoft operating system's will detect a      
 duplicate IP address on a LAN (an indication of a possible ARP spoof       
 attack).  Others allow you to lock down ARP entries in your ARP table so   
 that once the table is populated; a rogue system is not able to reset the  
 ARP entry to another MAC or IP address.  Another alternative is to encrypt 
 all traffic using secured protocols such SSL, SSH, or IPSEC to provide     
 data confidentiality and data integrity for sensitive communication.       
                                                                            
 Credit                                                                     
 Symantec takes the security and proper functionality of our products very  
 seriously.  Anyone with information on security issues with Symantec       
 products should contact [EMAIL PROTECTED]  The Sym Security PGP    
 key can be downloaded from                                                 
 http://securityresponse.symantec.com/avcenter/security/publickey/SymSecuri 
 ty.asc.                                                                    
                                                                            
 Copyright (c) 2002 by Symantec Corp.                                       
 Permission to redistribute this Alert electronically is granted as long as 
 it is not edited in any way unless authorized by Symantec Security         
 Response. Reprinting the whole or part of this Alert in medium other than  
 electronically requires permission from [EMAIL PROTECTED]          
 Disclaimer:                                                                
 The information in the advisory is believed to be accurate at the time of  
 printing based on currently available information. Use of the information  
 constitutes acceptance for use in an AS IS condition. There are no         
 warranties with regard to this information. Neither the author nor the     
 publisher accepts any liability for any direct, indirect or consequential  
 loss or damage arising from use of, or reliance on this information.       
 Symantec, Symantec products, Symantec Security Response, and SymSecurity   
 are Registered Trademarks of Symantec Corp. and/or affiliated companies in 
 the United States and other countries. All other registered and            
 unregistered trademarks represented in this document are the sole property 
 of their respective companies/owners.                                      
                                                                            



                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            






Reply via email to