Date: Fri, 12 Jul 2002 13:38:03 +0100
From: Damir Rajnovic <gaus@cisco.com.>
To: [email protected], [email protected], [email protected],
Subject: The answer to the PIX encryption issue
Cc: [email protected], [email protected]
-----BEGIN PGP SIGNED MESSAGE-----
This is in response to the mail sent by Michael Thumann and mao.
The mail is available at
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0121.html
(Weak Cisco Pix Password Encryption Algorithm)
When considering the published report one must take the following
into the account:
*) The password length and quality is very important.
Using passwords with ten characters or more will make brute force
attack much harder up to the point when they become computational
infeasible using the present algorithms and general purpose computers.
Using passwords which are not easy to guess, with a mixture of
lower and upper case letters and numbers, will make off line dictionary
attack much harder.
*) This attack is effective only if an attacker can capture the
configuration file.
In order to prevent interception of the configuration files for the
PIX particularly during transfer between devices, customers should
review their policies and practices concerning storage and transfer
of PIX configuration files. Critical points of review should include
firewall management systems and backup procedure (including media and
disposal).
*) By default PIX will not accept interactive connections on any port
except the console port.
Even if an attacker possesses the password, an interactive
administrative session must be established to the trusted/protected
(or externally via IPSEC) interface of the PIX, in order to take
advantage
of this. Cisco configuration guides recommend explicit and careful
configuration of permitted administrative hosts, and default
configuration requires the administration hosts to be explicitly
configured.
*) Users are encouraged to use the local database that uses "salted"
passwords. The example of a configuration is present here:
username <user> password <secret password>
aaa authentication enable console LOCAL
Alternatively, users can consider using TACACS+ or Radius
for authentication.
The practice of having a single, shared enable password should be
discouraged in favor of creating a separate usernames with the
appropriate privilege level. Additionally, a practice of sharing
the same configuration file among multiple PIXes should be
reconsidered. For the exact syntax of PIX command consult
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/cmdref/
index.htm
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3
iQEVAwUBPS7MIA/VLJ+budTTAQFp/QgAnxu9+4lXhtdQ47LW9LY6YOSNBgmh7E2K
5zeuoWFA81w1PawljR4d96eWnVBYktx6L5I6XCpuFYr4/APDSlgHXU6S2MR66tph
LfGOJP+V8Bc3f56C14HkJ+1lm4yPr6qOcKDXr9P6uOdqkuQkKa4A8GIgPOvlnmER
72k+ngGkLRN6xifMhFOvlBPHqYmu1BtmWviZPXlu8uIK3eY1snyUZf4y7JqYRFcb
WACtRRUMYz4lUwmd0DlTgqLVy9nnw9SxLgBCiM/SqUAMYCddm8I10IiYt5anuFzZ
/WetNzXpOmCTFT7XSwaKe1JQ0XGTN6EGBvc6j3vx97Yi1+ps3N6+qQ==
=ik/9
-----END PGP SIGNATURE-----
==============
Damir Rajnovic <psirt@cisco.com.>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/go/psirt>; Telephone: +44 7715 546 033
200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
==============
There is no insolvable problems.
The question is can you accept the solution?
