Bugtraq mailing list archives
Re: Cisco PIX Security Notes
From: Curt Wilson <netw3 () NETW3 COM>
Date: Mon, 12 Mar 2001 02:13:51 -0600
At 07:32 PM 3/9/2001 +0100, Fabio Pietrosanti (naif) wrote:
Working with Cisco PIX Firewall i wrote some note about possible security problem of Cisco PIX . Attached the paper Cisco_PIX_Notes.txt :)
I also noticed the "received packet is not an IPSec packet" logging issue when attacking the IP address of the PIX firewall itself with a variety of tools. We don't have a VPN configured at our site, but did an upgrade from PIX 4.6(2) (if I remember correctly) to 5.1(2) and in our case, an ISAKMP element was automatically added to the config, I think it's "isakmp identity hostname" but other than that, I don't see why the FW is expecting an IPSec packet since we don't have any of the VPN functions enabled. Our PIX is set to "logging buffered debugging" to get an exhaustive logging trace with as much details as possible from it's syslog. Still, the FW itself does not seem to respond fully to all packets delivered to it's external interface, showing "received packet is not an IPSec packet" only some of the time. It seems that the PIX (at least 5.1(2)) just checks if packet is IPSec, if not, send generic error. This obviously delivers no information to those monitoring syslog, and if you don't have an IDS placed just right and someone is only attacking the firewall itself, your logs don't mean a thing since you see no packet data. I reported this logging issue to cisco security several months ago, but at the time they were dealing with the mailguard problem and didn't take any action (that I am aware of). For more information on this please see some of my PIX attack patterns research posted to SANS GIAC a while back: http://www.sans.org/y2k/110300.htm Curt Wilson =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | Curt R. Wilson * Netw3 Consulting * www.netw3.com | | Internet Security, Networking, PC tech, WWW hosting | | Netw3 Security Reading Room : www.netw3.com/documents.html | | Serving Southern Illinois locally and the world virtually | | netw3 () netw3 com 618-303-NET3 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Current thread:
- Cisco PIX Security Notes Fabio Pietrosanti (naif) (Mar 11)
- Re: Cisco PIX Security Notes Curt Wilson (Mar 12)
- Re: Cisco PIX Security Notes Lisa Napier (Mar 13)
- Re: Cisco PIX Security Notes Laurent LEVIER (Mar 15)
- Re: Cisco PIX Security Notes Curt Wilson (Mar 15)
- Re: Cisco PIX Security Notes *Vendor Response* Lisa Napier (Mar 16)