Security Incidents mailing list archives

RE: Netscreen 5XT SSH Traffic

From: "Dante Mercurio" <Dante () webcti com>
Date: Fri, 18 Mar 2005 14:38:47 -0500

I can't tell from your email what indications you currently have that
this came through the firewall and was not spoofed from the inside in
some manner. I've always found the Netscreen to be a pretty secure
device and this would be a serious flaw.

Are there any other methods onto the network such as dial-in, VPN, or
vendor connections? Attacks can originate from any of these without a
flaw in the firewall software.

M. Dante Mercurio, CISSP, CWNA, Security+, SCSP


-----Original Message-----
From: Jonathan Nichols [mailto:jnichols () pbp net] 
Sent: Friday, March 18, 2005 12:33 PM
To: Ben Blakely
Cc: incidents () securityfocus org
Subject: Re: Netscreen 5XT SSH Traffic


Ben Blakely wrote:

Hello List,

 I'm the admin for a small network that uses a NetScreen 5XT firewall

as

the border access control device.   Just like everyone else, we get a 
pretty constant stream of SSH login attempts to our full range of IPs.
This doesn't concern us too much as our root logins are disabled and

we

enforce strong passwords.  However, several days ago we started seeing

SSH (v2, port 22) login attempts to machines that the firewall should 
not be allowing SSH traffic to in the first place.  Unfortunately this

happened overnight and our log vault machine was experiencing

unrelated

problems. Due to this I wasn't able to capture any of the traffic for 
closer dissection.  The only conclusion we were able to reach here was

that perhaps there is a state table poisoning bug in the NetScreen

code

that tricked the firewall into thinking the traffic had originated as 
egress.  Is this a reasonable conclusion?  To be honest that seems

like

a bit of a reach, does anyone else have any experience with similar 
incidents or any possible explanations?  I'll happy to clarify

anything

I can with the data I have, thanks for your time everyone.

/ben Blakely


Have you contacted Netscreen/Juniper TAC about this? There are ways to 
capture packets on the 5XT itself for analysis. Do you have another host

that you can use to test this from the outside? If it's an internal box 
that shouldn't be allowed SSH access, you oughta be able to test that 
from a machine outside the network.

I'd definitely contact the TAC about this, and have them review the 
firewall rules as well. It's possible that there's a rule that's 
overriding your deny SSH rule.

Current thread:

Netscreen 5XT SSH Traffic Ben Blakely (Mar 18)
- Re: Netscreen 5XT SSH Traffic Jonathan Nichols (Mar 18)
- <Possible follow-ups>
- RE: Netscreen 5XT SSH Traffic Dante Mercurio (Mar 18)
  - Message not available
    - Re: Netscreen 5XT SSH Traffic Michael Peppard (Mar 18)
    - Re: Netscreen 5XT SSH Traffic Ben Blakely (Mar 21)