Bugtraq mailing list archives

Re: Cisco PIX Security Notes

From: Lisa Napier <lnapier () CISCO COM>
Date: Mon, 12 Mar 2001 20:04:27 -0800

Hi Fabio,

Thank you for your detailed analysis, although, we certainly would
appreciate the opportunity to review this prior to public posting.  We
prefer to minimize misinformation, as it can cause people to make decisions
based on inaccurate information, which is never a good thing.

We're currently in the process of reviewing your information and verifying
these issues, but have a few initial comments.

For the item listed as:
-- Cisco PIX Firewall Logging Feature when firewall is probed.

The PIX enforces that telnet to the outside interface must be IPsec
protected.  The messages indicate that the packets are not IPsec protected
and are therefore rejected.  This is documented in PIX configuration
guide.  PIX generates *at most one* such syslog message per second.

Additionally, for the item listed as:
    --  Cisco PIX Firewall syn flood * EASY DOS WITH PIX

This is a configuration mistake.  To activate TCP Intercept in the PIX, use
a non-zero embryonic limit. The embryonic limit is not enabled in this
configuration.  Additionally, the PIX TCP Intercept feature in the PIX is
ported from the IOS Firewall version.  There should not be differences
between the functionality of the two implementations.

We are still in the process of analyzing your other statements.

Thanks much,

Lisa Napier
Product Security Incident Response Team
Cisco Systems

At 07:32 PM 03/09/2001 +0100, Fabio Pietrosanti (naif) wrote:

Working with Cisco PIX Firewall i wrote some note about possible security
problem of Cisco PIX .

Attached the paper Cisco_PIX_Notes.txt :)


--
Pietrosanti  Fabio          I.NET SpA, High Quality Access to the Internet
e-mail:  naif () inet it       ( Direzione Tecnica, Security Staff )
         firewall () inet it
PGP Key (DSS)               http://naif.itapac.net/naif.asc

Home Page URL:            http://www.inet.it
Sede:                     Via Darwin, 85 20019 Settimo Milanese (MI)
Tel:                      02-328631   Fax: 02-328637701
--
Free advertising: www.openbsd.org - Multiplatform Ultra-secure OS

Current thread:

Cisco PIX Security Notes Fabio Pietrosanti (naif) (Mar 11)
- Re: Cisco PIX Security Notes Curt Wilson (Mar 12)
- Re: Cisco PIX Security Notes Lisa Napier (Mar 13)
  - Re: Cisco PIX Security Notes Laurent LEVIER (Mar 15)
  - Re: Cisco PIX Security Notes Curt Wilson (Mar 15)
- Re: Cisco PIX Security Notes *Vendor Response* Lisa Napier (Mar 16)