In response to Juan de la Fuente Costa's bugtraq posting dtd Oct 22, 2002 9:16AM, Sniffing Administrator's Password in Symantec Firewall/VPN Appliance V. 200R Message-ID: <005701c279ab$c8bc5730$040110ac@mephisto> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Users inside corporate network (LAN) are able to sniff administrator's password by means of ARP poisoning. To avoid this problem we tried to hardcode administrator's MAC address inside firewall's configuratión; But this was not the solution, as there was possible to perform the attack under this scenario too. -------------------------------------snip--------------------------------- -------------------------------------------------------------------------- --------- Symantec Firewall/VPN Appliance Internal LAN Sniffing Issue Date Reported October 2, 2002 Risk Low (on trusted side of appliance) Affected Versions: Symantec Firewall/VPN 100 (all firmware versions) Symantec Firewall/VPN 200 (all firmware versions) Symantec Firewall/VPN 200R (all firmware versions) Overview Symantec is aware of a reported ARP Poisoning issue with Symantec's Firewall/VPN product reported on the Bugtraq mailing list, ( http://online.securityfocus.com/archive/1/296539/2002-10-19/2002-10-25/0). Symantec became aware of a potential ARP Poisoning issue that only occurs on the trusted LAN ports of the affected appliances. This issue could affect Symantec Firewall/VPN Appliance deployments and could potentially allow a malicious internal user to use ARP poisoning techniques to intercept traffic that is intended for the management port. Details ARP poisoning attacks are a well-known risk of Ethernet LANs. The attacks are based on the fact that the ARP protocol, used to provide MAC (physical address) to IP address (logical address) resolution in an internal network, is not a secured protocol. There are a number of techniques for intercepting and snooping traffic on an internal LAN segment. For example, using a properly crafted spoofed ARP message, a malicious user in the internal network can carry out a man-in-the-middle attack and intercept all traffic going to a specific destination. However, protection from these types of attacks is limited and time consuming to implement, therefore, most security administrators accept the associated risk from these types of internal attacks. Symantec Recommendation Symantec has determined that the Symantec Firewall/VPN appliances operate as designed. However, the following procedures can be implemented if a secure internal remote administration is required. The Symantec Firewall/VPN Appliances can be remotely managed securely using IPSEC technology through the outside WAN ports. Symantec recommends that if ARP poisoning is of concern in your internal environment, you manage the appliance through a gateway-to-gateway VPN tunnel on the model 100/200/200R or through a client-to-gateway VPN tunnel on the model 200R. In addition, administrators can use the second WAN port of the 200/200R as an isolated local management port, thus preventing a rogue internal user from sniffing the directly connected wire. To protect against ARP attacks requires a combination of techniques and tools. For example, there are tools available in the field that will alert administrators when an ARP request has caused a change in MAC-IP address entry. These are useful for detecting anomalies, however, they often require making trade offs in network management - for example, DHCP must be disabled. Additional protection is sometimes provided natively by operating systems. Certain Microsoft operating system's will detect a duplicate IP address on a LAN (an indication of a possible ARP spoof attack). Others allow you to lock down ARP entries in your ARP table so that once the table is populated; a rogue system is not able to reset the ARP entry to another MAC or IP address. Another alternative is to encrypt all traffic using secured protocols such SSL, SSH, or IPSEC to provide data confidentiality and data integrity for sensitive communication. Credit Symantec takes the security and proper functionality of our products very seriously. Anyone with information on security issues with Symantec products should contact [EMAIL PROTECTED] The Sym Security PGP key can be downloaded from http://securityresponse.symantec.com/avcenter/security/publickey/SymSecuri ty.asc. Copyright (c) 2002 by Symantec Corp. Permission to redistribute this Alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this Alert in medium other than electronically requires permission from [EMAIL PROTECTED] Disclaimer: The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. Symantec, Symantec products, Symantec Security Response, and SymSecurity are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.