Results 1 to 3 of 3

Thread: piercing NetScreen firewalls - major flaw

  1. #1
    Join Date
    Nov 2002

    piercing NetScreen firewalls - major flaw

    This is an advisory of a major flaw discovered on NetScreen firewall devices. You may publish it "as is".

    The software vendor -- NetScreen Technologies --
    was notified 3 weeks ago.


    SUBJECT: piercing NetScreen firewalls

    This is an advisory of a major flaw discovered on
    NetScreen firewall devices. You may publish it
    "as is".
    The software vendor -- NetScreen Technologies --
    was notified 3 weeks ago.


    I.1 FACTS

    There is no way to configure NetScreen firewalls
    so as to block traffic carried by protocols other than
    IP and ARP (this occurs at least in bridge mode on 20x
    and 50x models, with the latest version of screenOS).

    For instance, brodcast frames carrying protocols like
    SNA, IPX CDP, CDP, VST ... will all happily cross the
    firewall in and out without being checked nor logged,
    possibly reaching remote parts of corporate networks.

    Even the zone used for managing the firewall
    is not immune !!!

    Not only is the flaw infamous, but here is the worst:
    NetScreen devised a FAKE, dummy screening option:
    "bypass non-IP traffic". Toggling it on or off has
    absolutely no effect: The NetScreen firewall standing
    in the middle this times really deserves being called

    It seems that the lower layers of NetScreen devices are
    (poorly) designed like switches or hubs -- which means
    the exact opposite of security.
    They talk you about VLANs and these have a bad bad reputation.


    The flaw is infamous because it allows communications
    to be established thru the Netscreen device in any direction
    between arbitrary hosts, I mean hosts which you probably
    classified as unreachable
    ... from the IP point of view ...
    Indeed, many network architects have only protocol "IP"
    in mind when thinking about routing and firewall rules
    -- this is a common blunder.

    Suppose you are an external bad guy, Mr H.
    Using Ethernet broadcast, you can sweep entire networks
    behind NetScreen firewalls, including the sensitive
    administration zone !!!
    Thus, from outside, Mr H can hope that a router or
    mainframe machine will answer CDP or SNA protocols.
    Maybe Mr H will then be able to join a cluster of Cisco
    routers, take control and bounce/penetrate further.
    Or maybe that, Mr H is really skilled or just a spy and
    that the frames (s)he sends will wake a dormant backdoor
    providing control access to some deeply nested host.

    Provided some traffic can flow without control and getting
    logged, nor noticed by commercial Intrusion Detection Systems,
    nearly everything is possible; limits are the imagination's.

    For instance, you can think about using the channel
    as an IP tunnel, using the internal host as a VPN gateway
    to scan and penetrate further.

    Risks are incredibly high: one single forgotten or untrusted
    machine in your internal networks can compromise everything.
    And no security policy can handle this; besides, how would you
    be aware of a dormant backdoor ?

    e.g. check http://www.securitytracker.com/topics/topics.html
    for vulnerabilities in Cisco's products and have a thrill.

    II. NEXT

    In the past few years, piercing vulnerabilities have been
    discovered, but it seems that the community focused too much
    on IP only: Great, complicated exploits using fragmentation
    attacks were published (defeating the state engine of IPFilter
    and Firewall-1),
    ... but the simple, raw aspects of layer-2/layer-3 filtering
    seem to have been completely overlooked.

    It would be intersting to probe other firewall products
    for similar flaws.

    When you pretend to sell a firewall, ensure that
    it blocks traffic which it is not able to inspect !!!

    If you don't want to run into issues like these,
    use either open source or firewalls -- and software versions !--
    that are agreed for diplomatic and military communications.

    Paul -- civil counter-spy
    ISS you are the besthttp://www.issadvisor.com/images/personal/pisson.gifbecause you piss on the rest

    [gloworange]www.issadvisor.com [/gloworange]

  2. #2
    Senior Member
    Join Date
    Mar 2003
    central il
    Interesting but ultimatly pointless. IF you run a protical besides IP that is routable (IPX) then make ure you run a firewall capable of blocking it. In a modern network there is no reason to run anything besides IP so make sure thats all your systems talk.
    Who is more trustworthy then all of the gurus or Buddha’s?

  3. #3
    You can always tunnel
    Let\'s go to Paramount Great America !!!! LFC (LookingForChick)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts