Bugtraq mailing list archives
Re: Cisco PIX Security Notes
From: Curt Wilson <netw3 () NETW3 COM>
Date: Wed, 14 Mar 2001 22:21:50 -0600
At 08:04 PM 3/12/2001 -0800, Lisa Napier wrote:
For the item listed as: -- Cisco PIX Firewall Logging Feature when firewall is probed. The PIX enforces that telnet to the outside interface must be IPsec protected. The messages indicate that the packets are not IPsec protected and are therefore rejected. This is documented in PIX configuration guide. PIX generates *at most one* such syslog message per second.
Hi Lisa, If the packet is not an IPsec packet, and is destined for the telnet port on the external interface of the PIX, drop the packet and log "not an IPsec packet". Why does the log limit data in this case when the details will appear in nearly every other connection? If someone wants to collect information from syslog, they don't get any details on these particular connections. Granted, the connection won't get through, so in a strict sense, case closed. However, why not record the packet details to keep tabs on what the attackers are attempting? Why no mention of the incoming IP address, any TCP flags, etc? I suppose if someone had an IDS outside the PIX, the IDS would catch and detail the behavior, but for those without an IDS that rely more on syslog, you don't really get a very granular look at things in this scenario, at least from what it seems. Please correct me if I'm missing something. Sounds like there is no vulnerability, just perhaps skimpy logging; is there a way to config the pix to log better details when the FW itself is attacked? Perhaps I should try attacking the fw telnet port from the outside with an IPSec packet and examine the logging. Thanks, Curt Wilson =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | Curt R. Wilson * Netw3 Consulting * www.netw3.com | | Internet Security, Networking, PC tech, WWW hosting | | Netw3 Security Reading Room : www.netw3.com/documents.html | | Serving Southern Illinois locally and the world virtually | | netw3 () netw3 com 618-303-NET3 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Current thread:
- Cisco PIX Security Notes Fabio Pietrosanti (naif) (Mar 11)
- Re: Cisco PIX Security Notes Curt Wilson (Mar 12)
- Re: Cisco PIX Security Notes Lisa Napier (Mar 13)
- Re: Cisco PIX Security Notes Laurent LEVIER (Mar 15)
- Re: Cisco PIX Security Notes Curt Wilson (Mar 15)
- Re: Cisco PIX Security Notes *Vendor Response* Lisa Napier (Mar 16)