Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Check Point statement on use of IKE Aggressive Mode

From: Scott.Register () us checkpoint com (Scott Walker Register)
Date: Tue, 3 Sep 2002 17:14:40 -0400

A document has recently been published alleging vulnerabilities in the Check
Point VPN-1/FireWall-1 product, involving the use of SecuRemote/SecureClient
and IKE Aggressive mode.  Check Point does not recommend the use of IKE
Aggressive Mode, because of many well-known limitations in the protocol, and
the Check Point products offer much more secure alternatives.

In the vulnerability claim document, two issues were presented:
  1) usernames are passed in cleartext using IKE Aggressive Mode
  2) usernames are susceptible to brute-force guessing when using IKE
Aggressive Mode

The first item is merely an accurate description of the IKE protocol. Check
Point has no bug or vulnerability, but has correctly implemented the IKE
standard for Aggressive Mode.  The passing of usernames in cleartext is
common to any vendors of IKE products who support Aggressive Mode.  The
claim of a vulnerability is incorrect.

Because of such well-known weaknesses in the IKE Aggressive Mode standard,
Check Point authored and published an extension called Hybrid Mode which
allows the secure use of all supported authentication schemes (e.g., RADIUS
or TACACS) without sending usernames in cleartext.  This extension has been
incorporated in the product since the 4.1 SP1 release (February 2000), with
hybrid mode recommended over Aggressive Mode for enhanced security.

The second item exists only in VPN-1/FireWall-1 v4.1 modules which are still
configured to support SecuRemote/SecureClient connections using IKE
Aggressive Mode, despite the availability of more secure options in the
product.  Note, again, that the guessable usernames in this scenario are, by
design of the IKE protocol, sent in cleartext.  By default, Aggressive Mode
is not enabled in NG.  In 4.1, the recommended configuration is to disable
Aggressive Mode and use Hybrid Mode instead (which involves no change to the
user experience).

Scott Walker Register
FireWall-1 Product Manager
Check Point Software Technologies, Inc.
ph: 561.989.5418  fax: 561.997.9392
Previous By Date Next
Previous By Thread Next

Current thread: