Re: Default configuration in WatchGuard Firewall

[cbrenton () SOVER NET (Chris Brenton)]

Alfonso Lazaro wrote:
> I have found a misconfiguration in the default configuration
> of Watchguard Firewall.
>
> By default it appends a rule that it accepts pings from any to any.
>
> So if our firebox is defending our internal network
> ( 192.168.x.x ... ) and our WG Firewall is a proxie with an external
> ip in internet ( 100.100.100.100 hipotetic ip address ) the atacker
> can change his/her routes like so :
>
> # route add -net 192.168.0.0 netmask 255.255.255.0 gw 100.100.100.100
>
> # ping 192.168.1.1

Not to detract from the security implications of allowing echo-request
inbound unchecked, but in most cases the above would be of little use.
Every router between the attacker and the WatchGuard firewall would need
to be configured to point 192.168.0.0 towards the firewall, something
that is not going to happen per the RFC's (unless the attacker also
compromises each router along the link).

The above attack pattern would only be useful in the following
situation:
1) The attacker can source route inbound traffic
2) The protected network is actually legal, routed address space
3) The attacker gains access to the wire between the firewall & the
Internet router

If #1 works, shame on you. If #3 works, you have bigger problems than
ICMP through the firewall. ;)

Cheers,
Chris

--
**************************************
cbrenton () sover net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet