RE: Firewall-1 Information leak

["MALIN, ALEX (PB)" <am7861 () sbc com>]

SecuRemote works with 2 FireWall-1 encryption schemes, FWZ and IKE. Here's
my reading on it. If you use IKE, you MUST deselect "respond to
unauthenticated topology requests." However, if you use FWZ, CheckPoint
recommends that you select "respond to unauthenticated topology requests."
As the previous posting describes, you can work around this by placing
topology information in users' userc.C files. 

Why might anybody use FWZ (CheckPoint's propriatary encryption scheme),
rather than IKE? It's inherently less secure, as it can't use IPSec tunnel
mode. As I see it, there's a genaral problem with using firewalls for
encryption gateways. You don't want to tie up your gateway with all the
processing and memory usage that VPN devices require. CheckPoint seems to
have built a client-to-site VPN that is designed to reduce some of the
performace hit on the firewall. What you end up with, I think, is a kind of
security "lite." A little less data security (especially if you make
topology requests available to anybody with the SecuRemote client software).
But you can keep more encrypted data sessions going simultaneously. 

Alex Malin

-----Original Message-----
From: Bugtraq Account [mailto:bugtraq () infosecure com au]
Sent: Thursday, July 19, 2001 3:02 PM
To: Haroon Meer
Cc: bugtraq () securityfocus com
Subject: Re: Firewall-1 Information leak


On Wed, 18 Jul 2001, Haroon Meer wrote:

> Checkpoint Firewall-1 makes use of a piece of software called SecureRemote
> to create encrypted sessions between users and FW-1 modules. Before remote
> users are able to communicate with internal hosts, a network topology of
> the protected network is downloaded to the client. While newer versions of
> the FW-1 software have the ability to restrict these downloads to only
> authenticated sessions, the default setting allows unauthenticated
> requests to be honoured. This gives a potential attacker a wealth of
> information including ip addresses, network masks (and even friendly
> descriptions)

This is a well-known, and generally accepted, risk associated with running
FWZ SecuRemote VPN's to FireWall-1.  As others have already commented, it
is possible to turn off unauthenticated topology downloads through the
policy properties.  If you do this, you will need to manually distribute a
userc.C file (containing the topology information) to all of your
secuRemote users.  This file should be loaded into the
c:\winnt\fw\database directory on the client.

> From start to finish, the procedure should go something like this:

1. Set up you firewall gateway for VPN, with the "Respond to
unauthenticated topology requests" enabled.

2. Set up a sample secuRemote client, and download the site topology.

3. Turn off "Respond to unauthenticated topology requests".

4. Securely distribute the file userc.C from the sample client to all
secuRemote users.

You will need to send out an updated userc.C any time there is a change to
the encryption domain or keying info.

Regards,
Dave Taylor