Re: Question about setting up PIX firewall

["Paul D. Robertson" <paul () compuwar net>]

On Fri, 2 Dec 2005, James wrote:

> I would strongly disagree Paul.  We can learn an enormous amount of
> recon intelligence from Matthews config.

Well, I got several messages of support which said "I'm glad you said that 
so I didn't have to (those folks are welcome to chime back in,) so let's 
look at your points..."

> 1. We know he is using a PIX so we only have to look for exploits for that.

Assuming it's up to date, that leaves zero day explioits, which really 
should be rare these days.  It also assumes the PIX is the only 
firewall there (which is likely, but not definite.)

> 2. Domain name-> domain-name spectrumdirect.local and dns server
> vpngroup SpectrumDirect dns-server 192.168.1.250
> 192.168.1.250

Yes, we could probably derrive that anyway- it's a .edu- it's not like 
their architecture is uber seekrit...

> 3. His rfc1918 subnet-> 192.168.1.128 255.255.255.128
> Which we may be able to exploit with source routed packet attacks.
> (I am not sure how well the PIX stands up to these)

If either strict or lose sorce routing gets through your firewall, it's a 
decade out of date...  In any case, *lots* of people use outlook express 
or other things which "leak" 1918 addresses, that shouldn't matter one 
bit.  Know what?  My home network is 10.1.10.x/24- knowing that won't do 
you one bit of good, because my security implementation is as strong as 
it needs to be and my ruleset is protective..

> 3.He is using a client to site vpn with split tunnellling enabled so if we could
> find a users home PC and compromise it we could gain a significant
> amount of access while the user is connected to the vpn.

But if you could find a client *and* compromise it, you'd be able to do 
that *anyway*, knowing the ruleset doesn't signifcantly change the risk 
there.  FWIW, you'd have to find and compromise a VPN-allowed client and 
if you can do that, there are way more useful things you can do as an 
attacker with or without split tunneling.  If you need split tunnnels, 
you're likely not sophisticated enough an attacker to worry about the 
minor incremental risk. 

> 4. We know the vpn config so we can easily get our hands on the cisco vpn client
> and try to BF the password because the AUTH is LOCAL and the BF
> attempt probably won't be detected.

If it's subject to a brute force, it is anyway- it's more likely that that 
would happen blind these days.

> 5. telnet 192.168.1.0 255.255.255.0 inside
> Telnet is used to administer the box so if we can compromise the web
> server inside we can
> probably sniff the pix passsword and allow ourselves whatever access we want.

If you could do that, you'd be able to do the same thing anyway, the 
confing doesn't materially add to that- you'd still have to have an 
exploit.  Of course, this assumes the network is sniffable, which is not a 
given these days.  On a .edu network, an outside attacker isn't the likely 
point of compromise anyway.

> These are just a few ideas I pulled of the top of my head.  Matthew
> Davis if you are reading this I strongly adivse you to request the
> firewall wizards mailing list pull your post off their servers and
> also request google to do the same however more than likely your post
> has
> allready been cached and or skimmed.

Assuming your firewall is functional (and you've provided zero evidence 
that his isn't) then if your firewall ruleset isn't publically auditable, 
you're doing something wrong.  If it is, then its disclosure adds very 
little to the actual risk.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
http://fora.compuwar.net      Infosec discussion boards 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards