Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

The answer to the PIX encryption issue

From: Damir Rajnovic <gaus () cisco com>
Date: Fri, 12 Jul 2002 13:38:03 +0100
-----BEGIN PGP SIGNED MESSAGE-----

This is in response to the mail sent by Michael Thumann and mao.
The mail is available at
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0121.html
(Weak Cisco Pix Password Encryption Algorithm)

When considering the published report one must take the following
into the account:

*) The password length and quality is very important.

   Using passwords with ten characters or more will make brute force
   attack much harder up to the point when they become computational
   infeasible using the present algorithms and general purpose computers.
   Using passwords which are not easy to guess, with a mixture of
   lower and upper case letters and numbers, will make off line dictionary
   attack much harder.

*) This attack is effective only if an attacker can capture the
   configuration file.

   In order to prevent interception of the configuration files for the
   PIX particularly during transfer between devices, customers should
   review their policies and practices concerning storage and transfer
   of PIX configuration files. Critical points of review should include
   firewall management systems and backup procedure (including media and
   disposal).

*) By default PIX will not accept interactive connections on any port
   except the console port.

   Even if an attacker possesses the password, an interactive
   administrative session must be established to the trusted/protected
   (or externally via IPSEC) interface of the PIX, in order to take
advantage
   of this. Cisco configuration guides recommend explicit and careful
   configuration of permitted administrative hosts, and default
   configuration requires the administration hosts to be explicitly
   configured.

*) Users are encouraged to use the local database that uses "salted"
   passwords. The example of a configuration is present here:

     username <user> password <secret password>
     aaa authentication enable console LOCAL

   Alternatively, users can consider using TACACS+ or Radius 
   for authentication.

   The practice of having a single, shared enable password should be
   discouraged in favor of creating a separate usernames with the
   appropriate privilege level. Additionally, a practice of sharing
   the same configuration file among multiple PIXes should be
   reconsidered. For the exact syntax of PIX command consult
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/cmdref/
index.htm


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQEVAwUBPS7MIA/VLJ+budTTAQFp/QgAnxu9+4lXhtdQ47LW9LY6YOSNBgmh7E2K
5zeuoWFA81w1PawljR4d96eWnVBYktx6L5I6XCpuFYr4/APDSlgHXU6S2MR66tph
LfGOJP+V8Bc3f56C14HkJ+1lm4yPr6qOcKDXr9P6uOdqkuQkKa4A8GIgPOvlnmER
72k+ngGkLRN6xifMhFOvlBPHqYmu1BtmWviZPXlu8uIK3eY1snyUZf4y7JqYRFcb
WACtRRUMYz4lUwmd0DlTgqLVy9nnw9SxLgBCiM/SqUAMYCddm8I10IiYt5anuFzZ
/WetNzXpOmCTFT7XSwaKe1JQ0XGTN6EGBvc6j3vx97Yi1+ps3N6+qQ==
=ik/9
-----END PGP SIGNATURE----- 
==============
Damir Rajnovic <psirt () cisco com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/go/psirt>      Telephone: +44 7715 546 033
200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
==============
There is no insolvable problems. 
The question is can you accept the solution? 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: