Security Basics mailing list archives
RE: Cisco VPN Client - Stateful Firewall
From: "Rosenhan, David" <David.Rosenhan () swiftbrands com>
Date: Wed, 25 Feb 2004 14:40:56 -0700
I understand the Docs, but you have to look at the reality of it. I have the VPN client installed, when I check the statefull firewall I can't do anything, even outbound connections from my laptop even if I am not running the VPN client and I don't have a tunnel established. I know what the docs say but you fail to mention the bugs with the statefull firewall. We ran into this bug all the time, mostly this bug is listed as internal to Cisco so you may not even see it on the Bug tool. In conclusion, don't use the statefull firewall, buy a third party firewall or download the free Zone Alarm firewall, it has more options, you can configure it and on top of that it works with policies pushed to it from a Cisco VPN concentrator. Thanks!! David Rosenhan, CCNP Information Technology Swift & Company -----Original Message----- From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com] Sent: Wednesday, February 25, 2004 2:28 PM To: Rosenhan, David Cc: Omar Khawaja; security-basics () securityfocus com Subject: RE: Cisco VPN Client - Stateful Firewall Not true! The stateful firewall feature functions independently of an IPSEC tunnel. If a user has Stateful firewall checked, the computer will be basically hidden from the network, except for connections that it establishes (starts the state). If a use later decides to establish a VPN Tunnel, it's treated like any other traffic, it's allowed and it's in the state table as allowed traffic back in. It does not limit/stop/block outbound traffic. Only inbound traffic. As far as remote testing it. The box does not even respond to pings. If you worked for Cisco on the VPN team you should know this. From the Manual for 3.6 The VPN Client includes an integrated stateful firewall that provides protection when split tunneling is in effect and protects the VPN Client PC from Internet attacks while the VPN Client is connected to a VPN Concentrator through an IPSec tunnel. This integrated firewall includes a feature called Stateful Firewall (Always On). Stateful Firewall (Always On) provides even tighter security. When enabled, this feature allows no inbound sessions from all networks, whether or not a VPN connection is in effect. Also, the firewall is active for both encrypted and non encrypted traffic. There are two exceptions to this rule. The first is DHCP, which sends requests to the DHCP server out one port but receives responses from DHCP through a different port. For DHCP, the stateful firewall allows inbound traffic. The second is ESP. The stateful firewall allows ESP traffic from the secure gateway, because ESP rules are packet filters and not session-based filters. From the 4.0 The VPN Client includes an integrated stateful firewall that provides protection when split tunneling is in effect and protects the VPN Client PC from Internet attacks while the VPN Client is connected to a VPN Concentrator through an IPSec tunnel. This integrated firewall includes a feature called Stateful Firewall (Always On). Stateful Firewall (Always On) provides even tighter security. When enabled, this feature allows no inbound sessions from all networks, regardless of whether a VPN connection is in effect. Also, the firewall is active for both encrypted and unencrypted traffic. There are two exceptions to this rule: * DHCP, which sends requests to the DHCP server out one port but receives responses from DHCP through a different port. For DHCP, the stateful firewall allows inbound traffic. * ESP - The stateful firewall allows ESP traffic from the secure gateway, because ESP rules are packet filters and not session-based filters. For the latest information on other exceptions, if any, refer to Release Notes for Cisco VPN Client for Windows. At 15:44 02/24/2004, Rosenhan, David wrote:
Omar, I used to work for Cisco on the VPN team and when the VPN client stateful firewall was checked it only allowed outgoing connections for ESP and ISAKMP traffic, basically it blocked everything but VPN traffic incoming and outgoing. It is a very basic firewall, mostly used for users that are not doing any split-tunneling and if you can't afford a 3rd party firewall solution. I would suggest enabling it and then run a program called LanGuard against the IP address of the computer. LanGaurd has a 30 day trial version out there you can download, you will probably need to google
it.
From here you should be able to tell what is left open when it is enabled. Thanks! David Rosenhan, CCNP Information Technology -----Original Message----- From: Omar Khawaja [mailto:omarkhawaja () yahoo com] Sent: Monday, February 23, 2004 9:01 AM To: security-basics () securityfocus com Subject: Cisco VPN Client - Stateful Firewall Does anyone have any thoughts on how secure the "Stateful Firewall", that is integrated with the Cisco VPN Client, is? I was hoping someone may have done some penetration testing targeted at this particular feature of the product. ___ Omar Khawaja -----------------------------------------------------------------------
-
--- Free trial: Astaro Security Linux -- firewall with Spam/Virus
Protection
Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_security-basics_040219 -----------------------------------------------------------------------
-
---- -----------------------------------------------------------------------
----
-----------------------------------------------------------------------
----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Cisco VPN Client - Stateful Firewall Omar Khawaja (Feb 24)
- <Possible follow-ups>
- RE: Cisco VPN Client - Stateful Firewall Rosenhan, David (Feb 25)
- RE: Cisco VPN Client - Stateful Firewall Rosenhan, David (Feb 25)
- RE: Cisco VPN Client - Stateful Firewall jamesworld (Feb 25)