Re: Potential Security Flaw in Symantec Gateway Security 360R

[ed p <firewall1e () netscape net>]

In-Reply-To: <BCEBFFBB.ED1%devnull () cox net>

  I have tested this thoughrouly and reproduced the symptoms of the reported issue. When Enforce VPN is enabled for 
internal wireless traffic on the appliance something interesting happens. The appliance changes the virtual lan mac 
addresss to that of the wireless nic installed on the appliance. This can cause some confusing results.

Explanation:
The firmware loads the mac address of the firewall appliance/vpn gateway assigned to the virtual interface on the lan 
side. When either using wireless or connected to the internal lan ports of the 360 that mac address is cached by the 
clients/servers on the lan. A unique feature of the SGS 360 appliance is that instead of using WEP you can secure your 
wireless connection by using Symantec VPN client which terminates at the appliance. In this manner all traffic from the 
wireless client uses ipsec through the vpn tunnel to the lan instead of WEP. To accomplish this you must selct "Enforce 
VPN Tunnels/Disallow IPSec pass thru" or "Enforce VPN Tunnels/Allow IPSec pass thru" setting which enforces the vpn 
traffic to the appliance to the lan. 

Heres what happens next:
When  "Enforce VPN Tunnels/Disallow IPSec pass thru" or "Enforce VPN
> Tunnels/Allow IPSec pass thru" setting is saved, the mac address of the wireless card now binds its mac address to the 
> virtual interface instead of the original lan mac address.( it actually assumes the mac of the wireless nic) "The mac 
> address on the lan interface is now that of the wireless" Since the clients/servers on the lan and the wireleless 
> clients already have the original mac address of the vitual interface cached in the ARP table, they are still attached 
> the lan segment, until they are rebooted, the ARP cache cleared, or the ARP table times out in approximately 10 
> minutes. Since all traffic should now only be allowed to the lan when the VPN internal tunnel is connected,the 
> observation that you can still ping the lan due to the arp cache not being cleared, one could conclude that  "Enforce 
> VPN Tunnels/Disallow IPSec pass thru" or "Enforce VPN>Tunnels/Allow IPSec pass thru" settings are not working.

Test results:
The fact is that enforcing the vpn tunnels does work in the tests but that the appliance does not send out a gratuitous 
ARP to clear the clients arp cache. Therefore it appears that even though the enforcment of the VPN is enabled, for 
several minutes you can still ping the lan. WHEN THE CACHE IS CLEARED YOU CAN ONLY PASS TRAFFIC TO THE LAN THROUGH THE 
VPN TUNNEL as it should. Reason being the clients/servers now have the mac address of the wireless card cached in the 
arp table. So unless you pass traffic through the connected VPN you can not get to the lan segment, which does work. 
This was repeated in tests many times successfully.

Conclusion:
This is more of a design issue than anything else, and I am sure it can be corrected by changeing the firmware to send 
gratuitous arps on the lan when the wireless mac address is bound to the virtual interface, or similar code change
 


RE:
> Has anyone experienced this problem? Can anyone reproduce it?