RE: Cisco VPN Client - Stateful Firewall

["Rosenhan, David" <David.Rosenhan () swiftbrands com>]

I understand the Docs, but you have to look at the reality of it.  I
have the VPN client installed, when I check the statefull firewall I
can't do anything, even outbound connections from my laptop even if I am
not running the VPN client and I don't have a tunnel established.  I
know what the docs say but you fail to mention the bugs with the
statefull firewall. 

We ran into this bug all the time, mostly this bug is listed as internal
to Cisco so you may not even see it on the Bug tool.

In conclusion, don't use the statefull firewall, buy a third party
firewall or download the free Zone Alarm firewall, it has more options,
you can configure it and on top of that it works with policies pushed to
it from a Cisco VPN concentrator.

Thanks!!

David Rosenhan, CCNP
Information Technology
Swift & Company


-----Original Message-----
From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com]

Sent: Wednesday, February 25, 2004 2:28 PM
To: Rosenhan, David
Cc: Omar Khawaja; security-basics () securityfocus com
Subject: RE: Cisco VPN Client - Stateful Firewall

Not true!

The stateful firewall feature functions independently of an IPSEC
tunnel.

If a user has Stateful firewall checked, the computer will be basically 
hidden from the network, except for connections that it establishes
(starts 
the state).

If a use later decides to establish a VPN Tunnel, it's treated like any 
other traffic, it's allowed and it's in the state table as allowed
traffic 
back in.

It does not limit/stop/block outbound traffic.  Only inbound traffic.

As far as remote testing it.  The box does not even respond to pings.

If you worked for Cisco on the VPN team you should know this.

 From the Manual for 3.6

The VPN Client includes an integrated stateful firewall that provides 
protection when split tunneling is
in effect and protects the VPN Client PC from Internet attacks while the

VPN Client is connected to a
VPN Concentrator through an IPSec tunnel. This integrated firewall
includes 
a feature called Stateful
Firewall (Always On).
Stateful Firewall (Always On) provides even tighter security. When
enabled, 
this feature allows no
inbound sessions from all networks, whether or not a VPN connection is
in 
effect. Also, the firewall is
active for both encrypted and non encrypted traffic. There are two 
exceptions to this rule. The first is
DHCP, which sends requests to the DHCP server out one port but receives 
responses from DHCP
through a different port. For DHCP, the stateful firewall allows inbound

traffic. The second is ESP. The
stateful firewall allows ESP traffic from the secure gateway, because
ESP 
rules are packet filters and not
session-based filters.

 From the 4.0

The VPN Client includes an integrated stateful firewall that provides 
protection when split tunneling is
in effect and protects the VPN Client PC from Internet attacks while the

VPN Client is connected to a
VPN Concentrator through an IPSec tunnel. This integrated firewall
includes 
a feature called Stateful
Firewall (Always On).
Stateful Firewall (Always On) provides even tighter security. When
enabled, 
this feature allows no
inbound sessions from all networks, regardless of whether a VPN
connection 
is in effect. Also, the
firewall is active for both encrypted and unencrypted traffic. There are

two exceptions to this rule:
* DHCP, which sends requests to the DHCP server out one port but
receives 
responses from DHCP
through a different port. For DHCP, the stateful firewall allows inbound

traffic.
* ESP - The stateful firewall allows ESP traffic from the secure
gateway, 
because ESP rules are packet
filters and not session-based filters. For the latest information on
other 
exceptions, if any, refer to
Release Notes for Cisco VPN Client for Windows.


At 15:44 02/24/2004, Rosenhan, David wrote:
> Omar,
>
> I used to work for Cisco on the VPN team and when the VPN client
> stateful firewall was checked it only allowed outgoing connections for
> ESP and ISAKMP traffic, basically it blocked everything but VPN traffic
> incoming and outgoing.  It is a very basic firewall, mostly used for
> users that are not doing any split-tunneling and if you can't afford a
> 3rd party firewall solution.
>
> I would suggest enabling it and then run a program called LanGuard
> against the IP address of the computer.  LanGaurd has a 30 day trial
> version out there you can download, you will probably need to google
it.
> From here you should be able to tell what is left open when it is
> enabled.
>
> Thanks!
>
> David Rosenhan, CCNP
> Information Technology
>
>
> -----Original Message-----
> From: Omar Khawaja [mailto:omarkhawaja () yahoo com]
> Sent: Monday, February 23, 2004 9:01 AM
> To: security-basics () securityfocus com
> Subject: Cisco VPN Client - Stateful Firewall
>
> Does anyone have any thoughts on how secure the "Stateful Firewall",
> that is
> integrated with the Cisco VPN Client, is? I was hoping someone may have
> done
> some penetration testing targeted at this particular feature of the
> product.
> ___
> Omar Khawaja
>
>
>
> -----------------------------------------------------------------------
-
> ---
> Free trial: Astaro Security Linux -- firewall with Spam/Virus
Protection
> Protect your network with the comprehensive security solution that
> integrates six applications for ease of use and lower TCO.
>
> Firewall - Virus protection - Spam protection - URL blocking - VPN
> - Wireless security.
>
> Download 30-day evaluation at:
> http://www.securityfocus.com/sponsor/Astaro_security-basics_040219
> -----------------------------------------------------------------------
-
> ----
>
>
> -----------------------------------------------------------------------
----
> -----------------------------------------------------------------------
-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------