Penetration Testing mailing list archives
[PEN-TEST] Watchguard firebox iI
From: "Waters, Simon" <Simon () WRETCHED DEMON CO UK>
Date: Tue, 12 Dec 2000 19:30:00 +0000
The most common Watchguard gaff was not to disable outgoing UDP. The gui has a checkbox for this, but off the shelf outgoing UDP was enabled. They sent me a tee-shirt for suggesting they change it 8-) but worth checking. Similarly it is an easy mistake with the GUI to enable outgoing TCP proxy rather that an http proxy. This is because the 'obvious' http proxy service is a combination of a TCP proxy and an http proxy, where as there is a specific only proxy HTTP service. The result being to allow more outgoing TCP connections than was intended. I guess it is easy for educational and other sites who allow any outgoing. (By tcp proxy I mean the firebox hides internal IP's - like CISCO Port address translation but not as clever - although you may have registered IP's behind the box if you have IP addresses to burn or think NAT is evil 8-) Not sure on the best attack from outside. They run a linux kernel underneath - so try typical Linux firewall stuff. The recommended (!) configuration uses proxy arp with the same address on trusted, external, and optional. This make for complex arp and routing settings but whilst I've seen a lot that had incorrect settings, I've not seen this cause a 'security problem'. The watchguard has some automatic blackholing for port scanning and the like. Off by default. So some people may be susceptable to DoS by spoofing a scan. Watchguard have published some DoS vuln. - but they are very keen on distributing fixes. In summary - many admins allow too much outgoing UDP and TCP because they can't drive the box. Simon () wretched demon co uk (Long time Watchguard fan, hoping he got the right e-mail as he is away from the Office)
Current thread:
- [PEN-TEST] Watchguard firebox II Skinner, Tim L. (Dec 13)
- Re: [PEN-TEST] Watchguard firebox II Alex Butcher (Dec 14)
- Re: [PEN-TEST] Watchguard firebox II Axel Dunkel (Dec 14)
- Re: [PEN-TEST] Watchguard firebox II Talisker (Dec 14)
- Re: [PEN-TEST] Watchguard firebox II Dom De Vitto (Dec 15)
- <Possible follow-ups>
- [PEN-TEST] Watchguard firebox iI Waters, Simon (Dec 13)
- Re: [PEN-TEST] Watchguard firebox II Steve Fallin (Dec 16)
- Re: [PEN-TEST] Watchguard firebox II Alex Butcher (Dec 14)