Bugtraq mailing list archives

Re: Cisco PIX Security Notes

From: Curt Wilson <netw3 () NETW3 COM>
Date: Wed, 14 Mar 2001 22:21:50 -0600

At 08:04 PM 3/12/2001 -0800, Lisa Napier wrote:


For the item listed as:
-- Cisco PIX Firewall Logging Feature when firewall is probed.

The PIX enforces that telnet to the outside interface must be IPsec
protected.  The messages indicate that the packets are not IPsec protected
and are therefore rejected.  This is documented in PIX configuration
guide.  PIX generates *at most one* such syslog message per second.


Hi Lisa,

If the packet is not an IPsec packet, and is destined for the telnet
port on the external interface of the PIX, drop the packet and log
"not an IPsec packet". Why does the log limit data in this case when
the details will appear in nearly every other connection? If someone
wants to collect information from syslog, they don't get any details
on these particular connections. Granted, the connection won't get through,
so in a strict sense, case closed. However, why not record the packet
details to keep tabs on what the attackers are attempting? Why
no mention of the incoming IP address, any TCP flags, etc? I suppose
if someone had an IDS outside the PIX, the IDS would catch and
detail the behavior, but for those without an IDS that rely more on
syslog, you don't really get a very granular look at things in
this scenario, at least from what it seems. Please correct me if
I'm missing something.

Sounds like there is no vulnerability, just perhaps skimpy logging;
is there a way to config the pix to log better details when the
FW itself is attacked? Perhaps I should try attacking the fw telnet
port from the outside with an IPSec packet and examine the logging.

Thanks,
Curt Wilson






=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
| Curt R. Wilson   *   Netw3 Consulting  *   www.netw3.com    |
|    Internet Security, Networking, PC tech,  WWW hosting     |
| Netw3 Security Reading Room : www.netw3.com/documents.html  |
|  Serving Southern Illinois locally and the world virtually  |
|            netw3 () netw3 com     618-303-NET3                 |
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Current thread:

Cisco PIX Security Notes Fabio Pietrosanti (naif) (Mar 11)
- Re: Cisco PIX Security Notes Curt Wilson (Mar 12)
- Re: Cisco PIX Security Notes Lisa Napier (Mar 13)
  - Re: Cisco PIX Security Notes Laurent LEVIER (Mar 15)
  - Re: Cisco PIX Security Notes Curt Wilson (Mar 15)
- Re: Cisco PIX Security Notes *Vendor Response* Lisa Napier (Mar 16)