Bugtraq mailing list archives

Re: Cisco PIX Security Notes

From: Laurent LEVIER <llevier () ARGOSNET COM>
Date: Wed, 14 Mar 2001 19:42:54 +0100

Lisa,

I also many Pixes under my control. This "Firewall" does not log when it is scanned on its outside interface.
It is considering that someone is attempting access a already PATed session if the targetted port is already busy, and 
says nothing
if the port is not busy.

This is true from prom 4 to last. So using pix forbids to detect attacks on the device.

At 20:04 12/03/2001 -0800, Lisa Napier wrote:

Hi Fabio,

Thank you for your detailed analysis, although, we certainly would
appreciate the opportunity to review this prior to public posting.  We
prefer to minimize misinformation, as it can cause people to make decisions
based on inaccurate information, which is never a good thing.

We're currently in the process of reviewing your information and verifying
these issues, but have a few initial comments.

For the item listed as:
-- Cisco PIX Firewall Logging Feature when firewall is probed.

The PIX enforces that telnet to the outside interface must be IPsec
protected.  The messages indicate that the packets are not IPsec protected
and are therefore rejected.  This is documented in PIX configuration
guide.  PIX generates *at most one* such syslog message per second.

Additionally, for the item listed as:
   --  Cisco PIX Firewall syn flood * EASY DOS WITH PIX

This is a configuration mistake.  To activate TCP Intercept in the PIX, use
a non-zero embryonic limit. The embryonic limit is not enabled in this
configuration.  Additionally, the PIX TCP Intercept feature in the PIX is
ported from the IOS Firewall version.  There should not be differences
between the functionality of the two implementations.

We are still in the process of analyzing your other statements.

Thanks much,

Lisa Napier
Product Security Incident Response Team
Cisco Systems

At 07:32 PM 03/09/2001 +0100, Fabio Pietrosanti (naif) wrote:

Working with Cisco PIX Firewall i wrote some note about possible security
problem of Cisco PIX .

Attached the paper Cisco_PIX_Notes.txt :)


--
Pietrosanti  Fabio          I.NET SpA, High Quality Access to the Internet
e-mail:  naif () inet it       ( Direzione Tecnica, Security Staff )
        firewall () inet it
PGP Key (DSS)               http://naif.itapac.net/naif.asc

Home Page URL:            http://www.inet.it
Sede:                     Via Darwin, 85 20019 Settimo Milanese (MI)
Tel:                      02-328631   Fax: 02-328637701
--
Free advertising: www.openbsd.org - Multiplatform Ultra-secure OS


Laurent LEVIER
IT Systems & Networks, Unix System Engineer
Security Specialist

Argosnet Security Server : http://www.Argosnet.com
"Le Veilleur Technologique", "The Technology Watcher"

Current thread:

Cisco PIX Security Notes Fabio Pietrosanti (naif) (Mar 11)
- Re: Cisco PIX Security Notes Curt Wilson (Mar 12)
- Re: Cisco PIX Security Notes Lisa Napier (Mar 13)
  - Re: Cisco PIX Security Notes Laurent LEVIER (Mar 15)
  - Re: Cisco PIX Security Notes Curt Wilson (Mar 15)
- Re: Cisco PIX Security Notes *Vendor Response* Lisa Napier (Mar 16)