Really? The implied rules and what they mean are part of the CheckPoint
CCSA (Intro. to FW Mgmt. I) class.. I give special attention to it when
I teach the class ever since they shipped previous versions with ICMP
and DNS allowed.. It has always been considered "Best Practice" to turn
off the implied rules -- right up there with having a Stealth Rule and a
Cleanup Rule. Not only is it good security because it helps an
administrator see what he/she is letting through it by having it
explicitly defined (out of sight == out of mind), but it also helps the
performance of the firewall because it doesn't have to check each new
connection against all the implied rules.
During audits I do, companies having the implied rules on is one of the
easiest ways to fingerprint a CheckPoint Firewall because of the ports
it opens up for topology requests and other VPN-related functionality
which the client may not even be using.
If someone really wants to see a problem with 4.1, look at the
information one can get from a topology request (unauthenticated by
default).. All the interfaces of the firewall, most likely all the
internal network IP addresses, and even important machine names and
addresses if the split DNS features are being utilized. This gives us
lots of good information during a network assessment.
// Chris
[EMAIL PROTECTED]
-----Original Message-----
From: Cessna, Michael [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 11, 2001 8:27 AM
To: 'Eric Johnson'; [EMAIL PROTECTED]
Subject: RE: Hacking FW-1 programs
Actually by reading his original posts you can see that he doesn't want
to have to log in to the FW1 to get internet access (probably porn
surfing).
Anyway, the Checkpoint advisory is alarming in that I never though of
checking for RDP holes since I've never used the protocol. Has anyone
ever used the RDP and/or know of any other RDP vulnerabilities?
Mike
-----Original Message-----
From: Eric Johnson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 11, 2001 4:22 AM
To: [EMAIL PROTECTED]
Subject: RE: Hacking FW-1 programs
At 03:09 PM 7/10/2001 -0400, Cessna, Michael wrote:
>Why would you post a request like this when all of us here are the ones
>maintaining Firewall of various manufacturers and it is our jobs to
keep
>people from circumventing the security policies in place? I would be
>surprised to find that anyone here who is actually in the Security
field
>would answer your post. This list is for security professionals or
those
>interested in security (specifically firewalls) and not for people who
>would like to get around them, even for non-nefarious purposes. S
security
>policy is only as good as it's enforcement. Which means no exceptions
for
>anyone!
>
>BTW. Why don't you want to send your username and password? If you are
not
>doing anything wrong then tracking what you do means nothing?
There was a CERT Advisory on July 9 about regarding Firewall-1.
Maybe this is why he asked.
------------------------------------------------------------------------
--------
CERT Advisory CA-2001-17 Check Point RDP Bypass Vulnerability
Original release date: July 09, 2001
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Check Point VPN-1 and FireWall-1 Version 4.1
Overview
A vulnerability in Check Point FireWall-1 and VPN-1 may allow an
intruder to pass traffic through the firewall on port 259/UDP.
I. Description
Inside Security GmbH has discovered a vulnerability in Check Point
FireWall-1 and VPN-1 that allows an intruder to bypass the firewall.
The default FireWall-1 management rules allow arbitrary RDP
(Reliable
Data Protocol) connections to traverse the firewall. RFC-908 and
RFC-1151 describe the Reliable Data Protocol (RDP). Quoting from
RFC-908:
The Reliable Data Protocol (RDP) is designed to provide a reliable
data transport service for packet-based applications such as
remote
loading and debugging.
RDP was designed to have much of the same functionality as TCP, but
it
has some advantages over TCP in certain situations. FireWall-1 and
VPN-1 include support for RDP, but they do not provide adequate
security controls. Quoting from the advisory provided by Inside
Security GmbH:
By adding a faked RDP header to normal UDP traffic any content can
be passed to port 259 on any remote host on either side of the
firewall.
For more information, see the Inside Security GmbH security
advisory,
available at
http://www.inside-security.de/advisories/fw1_rdp.html
Although the CERT/CC has not seen any incident activity related to
this vulnerability, we do recommend that all affected sites upgrade
their Check Point software as soon as possible.
II. Impact
An intruder can pass UDP traffic with arbitrary content through the
firewall on port 259 in violation of implied security policies.
If an intruder can gain control of a host inside the firewall, he
may
be able to use this vulnerability to tunnel arbitrary traffic across
the firewall boundary.
Additionally, even if an intruder does not have control of a host
inside the firewall, he may be able to use this vulnerability as a
means of exploiting another vulnerability in software listening
passively on the internal network.
Finally, an intruder may be able to use this vulnerability to launch
certain kinds of denial-of-service attacks.
...
------------------------------------------------------------------------
-------
Eric Johnson
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
