Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Cisco PIX Security Notes
From: Laurent LEVIER <llevier () ARGOSNET COM>
Date: Wed, 14 Mar 2001 19:42:54 +0100
Lisa,

I also many Pixes under my control. This "Firewall" does not log when it is scanned on its outside interface.
It is considering that someone is attempting access a already PATed session if the targetted port is already busy, and 
says nothing
if the port is not busy.

This is true from prom 4 to last. So using pix forbids to detect attacks on the device.

At 20:04 12/03/2001 -0800, Lisa Napier wrote:

Hi Fabio,

Thank you for your detailed analysis, although, we certainly would
appreciate the opportunity to review this prior to public posting.  We
prefer to minimize misinformation, as it can cause people to make decisions
based on inaccurate information, which is never a good thing.

We're currently in the process of reviewing your information and verifying
these issues, but have a few initial comments.

For the item listed as:
-- Cisco PIX Firewall Logging Feature when firewall is probed.

The PIX enforces that telnet to the outside interface must be IPsec
protected.  The messages indicate that the packets are not IPsec protected
and are therefore rejected.  This is documented in PIX configuration
guide.  PIX generates *at most one* such syslog message per second.

Additionally, for the item listed as:
   --  Cisco PIX Firewall syn flood * EASY DOS WITH PIX

This is a configuration mistake.  To activate TCP Intercept in the PIX, use
a non-zero embryonic limit. The embryonic limit is not enabled in this
configuration.  Additionally, the PIX TCP Intercept feature in the PIX is
ported from the IOS Firewall version.  There should not be differences
between the functionality of the two implementations.

We are still in the process of analyzing your other statements.

Thanks much,

Lisa Napier
Product Security Incident Response Team
Cisco Systems

At 07:32 PM 03/09/2001 +0100, Fabio Pietrosanti (naif) wrote:

Working with Cisco PIX Firewall i wrote some note about possible security
problem of Cisco PIX .

Attached the paper Cisco_PIX_Notes.txt :)


--
Pietrosanti  Fabio          I.NET SpA, High Quality Access to the Internet
e-mail:  naif () inet it       ( Direzione Tecnica, Security Staff )
        firewall () inet it
PGP Key (DSS)               http://naif.itapac.net/naif.asc

Home Page URL:            http://www.inet.it
Sede:                     Via Darwin, 85 20019 Settimo Milanese (MI)
Tel:                      02-328631   Fax: 02-328637701
--
Free advertising: www.openbsd.org - Multiplatform Ultra-secure OS


Laurent LEVIER
IT Systems & Networks, Unix System Engineer
Security Specialist

Argosnet Security Server : http://www.Argosnet.com
"Le Veilleur Technologique", "The Technology Watcher"

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]