RE: Cisco VPN Client - Stateful Firewall

[jamesworld () intelligencia com]

Not true!

The stateful firewall feature functions independently of an IPSEC tunnel.

If a user has Stateful firewall checked, the computer will be basically 
hidden from the network, except for connections that it establishes (starts 
the state).

If a use later decides to establish a VPN Tunnel, it's treated like any 
other traffic, it's allowed and it's in the state table as allowed traffic 
back in.

It does not limit/stop/block outbound traffic.  Only inbound traffic.

As far as remote testing it.  The box does not even respond to pings.

If you worked for Cisco on the VPN team you should know this.

From the Manual for 3.6

The VPN Client includes an integrated stateful firewall that provides 
protection when split tunneling is
in effect and protects the VPN Client PC from Internet attacks while the 
VPN Client is connected to a
VPN Concentrator through an IPSec tunnel. This integrated firewall includes 
a feature called Stateful
Firewall (Always On).
Stateful Firewall (Always On) provides even tighter security. When enabled, 
this feature allows no
inbound sessions from all networks, whether or not a VPN connection is in 
effect. Also, the firewall is
active for both encrypted and non encrypted traffic. There are two 
exceptions to this rule. The first is
DHCP, which sends requests to the DHCP server out one port but receives 
responses from DHCP
through a different port. For DHCP, the stateful firewall allows inbound 
traffic. The second is ESP. The
stateful firewall allows ESP traffic from the secure gateway, because ESP 
rules are packet filters and not
session-based filters.

From the 4.0

The VPN Client includes an integrated stateful firewall that provides 
protection when split tunneling is
in effect and protects the VPN Client PC from Internet attacks while the 
VPN Client is connected to a
VPN Concentrator through an IPSec tunnel. This integrated firewall includes 
a feature called Stateful
Firewall (Always On).
Stateful Firewall (Always On) provides even tighter security. When enabled, 
this feature allows no
inbound sessions from all networks, regardless of whether a VPN connection 
is in effect. Also, the
firewall is active for both encrypted and unencrypted traffic. There are 
two exceptions to this rule:
• DHCP, which sends requests to the DHCP server out one port but receives 
responses from DHCP
through a different port. For DHCP, the stateful firewall allows inbound 
traffic.
• ESP - The stateful firewall allows ESP traffic from the secure gateway, 
because ESP rules are packet
filters and not session-based filters. For the latest information on other 
exceptions, if any, refer to
Release Notes for Cisco VPN Client for Windows.


At 15:44 02/24/2004, Rosenhan, David wrote:
> Omar,
>
> I used to work for Cisco on the VPN team and when the VPN client
> stateful firewall was checked it only allowed outgoing connections for
> ESP and ISAKMP traffic, basically it blocked everything but VPN traffic
> incoming and outgoing.  It is a very basic firewall, mostly used for
> users that are not doing any split-tunneling and if you can't afford a
> 3rd party firewall solution.
>
> I would suggest enabling it and then run a program called LanGuard
> against the IP address of the computer.  LanGaurd has a 30 day trial
> version out there you can download, you will probably need to google it.
> From here you should be able to tell what is left open when it is
> enabled.
>
> Thanks!
>
> David Rosenhan, CCNP
> Information Technology
>
>
> -----Original Message-----
> From: Omar Khawaja [mailto:omarkhawaja () yahoo com]
> Sent: Monday, February 23, 2004 9:01 AM
> To: security-basics () securityfocus com
> Subject: Cisco VPN Client - Stateful Firewall
>
> Does anyone have any thoughts on how secure the "Stateful Firewall",
> that is
> integrated with the Cisco VPN Client, is? I was hoping someone may have
> done
> some penetration testing targeted at this particular feature of the
> product.
> ___
> Omar Khawaja
>
>
>
> ------------------------------------------------------------------------
> ---
> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
> Protect your network with the comprehensive security solution that
> integrates six applications for ease of use and lower TCO.
>
> Firewall - Virus protection - Spam protection - URL blocking - VPN
> - Wireless security.
>
> Download 30-day evaluation at:
> http://www.securityfocus.com/sponsor/Astaro_security-basics_040219
> ------------------------------------------------------------------------
> ----
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------