Bugtraq mailing list archives
Re: Cisco PIX Security Notes
From: Lisa Napier <lnapier () CISCO COM>
Date: Mon, 12 Mar 2001 20:04:27 -0800
Hi Fabio, Thank you for your detailed analysis, although, we certainly would appreciate the opportunity to review this prior to public posting. We prefer to minimize misinformation, as it can cause people to make decisions based on inaccurate information, which is never a good thing. We're currently in the process of reviewing your information and verifying these issues, but have a few initial comments. For the item listed as: -- Cisco PIX Firewall Logging Feature when firewall is probed. The PIX enforces that telnet to the outside interface must be IPsec protected. The messages indicate that the packets are not IPsec protected and are therefore rejected. This is documented in PIX configuration guide. PIX generates *at most one* such syslog message per second. Additionally, for the item listed as: -- Cisco PIX Firewall syn flood * EASY DOS WITH PIX This is a configuration mistake. To activate TCP Intercept in the PIX, use a non-zero embryonic limit. The embryonic limit is not enabled in this configuration. Additionally, the PIX TCP Intercept feature in the PIX is ported from the IOS Firewall version. There should not be differences between the functionality of the two implementations. We are still in the process of analyzing your other statements. Thanks much, Lisa Napier Product Security Incident Response Team Cisco Systems At 07:32 PM 03/09/2001 +0100, Fabio Pietrosanti (naif) wrote:
Working with Cisco PIX Firewall i wrote some note about possible security problem of Cisco PIX . Attached the paper Cisco_PIX_Notes.txt :) -- Pietrosanti Fabio I.NET SpA, High Quality Access to the Internet e-mail: naif () inet it ( Direzione Tecnica, Security Staff ) firewall () inet it PGP Key (DSS) http://naif.itapac.net/naif.asc Home Page URL: http://www.inet.it Sede: Via Darwin, 85 20019 Settimo Milanese (MI) Tel: 02-328631 Fax: 02-328637701 -- Free advertising: www.openbsd.org - Multiplatform Ultra-secure OS
Current thread:
- Cisco PIX Security Notes Fabio Pietrosanti (naif) (Mar 11)
- Re: Cisco PIX Security Notes Curt Wilson (Mar 12)
- Re: Cisco PIX Security Notes Lisa Napier (Mar 13)
- Re: Cisco PIX Security Notes Laurent LEVIER (Mar 15)
- Re: Cisco PIX Security Notes Curt Wilson (Mar 15)
- Re: Cisco PIX Security Notes *Vendor Response* Lisa Napier (Mar 16)