[PEN-TEST] Watchguard firebox iI

["Waters, Simon" <Simon () WRETCHED DEMON CO UK>]

The most common Watchguard gaff was not to disable outgoing
UDP.

The gui has a checkbox for this, but off the shelf outgoing UDP
was enabled. They sent me a tee-shirt for suggesting they
change it 8-) but worth checking.

Similarly it is an easy mistake with the GUI to enable outgoing
TCP proxy rather that an http proxy. This is because the 'obvious'
http proxy service is a combination of a TCP proxy and an http
proxy, where as there is a specific only proxy HTTP service. The
result being to allow more outgoing TCP connections than was
intended. I guess it is easy for educational and other sites who
allow any outgoing.

(By tcp proxy I mean the firebox hides internal IP's - like CISCO
Port address translation but not as clever - although you may
have registered IP's behind the box if you have IP addresses to
burn or think NAT is evil 8-)

Not sure on the best attack from outside. They run a linux kernel
underneath - so try typical Linux firewall stuff.

The recommended (!) configuration uses proxy arp with the same
address on trusted, external, and optional. This make for
complex arp and routing settings but whilst I've seen a lot that
had incorrect settings, I've not seen this cause a 'security
problem'.

The watchguard has some automatic blackholing for port
scanning and the like. Off by default. So some people may be
susceptable to DoS by spoofing a scan.

Watchguard have published some DoS vuln. - but they are very
keen on distributing fixes.

In summary - many admins allow too much outgoing UDP and
TCP because they can't drive the  box.

   Simon () wretched demon co uk

(Long time Watchguard fan, hoping he got the right e-mail as he
is away from the Office)