The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Cisco ACL bug when using VPN crypto engine accelerator, PPPoE dialer or ip route-cache


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 14 May 2003 14:52:44 -0000
From: Olivier <itsce.networkservices@pmintl.ch.>
To: [email protected]
Subject: Cisco ACL bug when using VPN crypto engine accelerator, PPPoE dialer or ip route-cache



Platform Cisco 1760 dual Ethernet 



IOS 12.2.xT IP/ADSL/FW/IDS PLUS IPSEC 3DES



Environment: Site to site VPN for small offices.



 



ACL are not properly parsed as soon as you enable:



crypto engine accelerator 

PPPoE dialer 

Ip route-cache 

 



Without the feature mentioned above, you can apply an ACL on the outside 

interface allowing only inbound ISAKMP and IPSEC traffic.



I.E. 



ip access-list extended Block-Inbound-unwanted-Trafic



 permit udp 100.100.100.0 0.0.0.255 host 102.168.1.2 eq isakmp



 permit esp 100.100. 100.0 0.0.0.255 host 102.168.1.2



 deny   ip any any log







If you activate the crypto engine, the ACL is parsed as well on decrypted 

traffic which forces you to allow as well all traffic for the decrypted 

traffic.

I.E. If you are using 10.x addressees internally and the subnet 

10.200.0.0/24 for your Soho LAN. Can be worst if you have a huge network 

inside where you would prefer to add permit ip  any 10.200.0.0 0.0.0.255.

 



ip access-list extended Block-Inbound-unwanted-Trafic

 permit udp 100.100.100.0 0.0.0.255 host 102.168.1.2 eq isakmp

 permit esp 100.100. 100.0 0.0.0.255 host 102.168.1.2

 permit ip  10.0.0.0 0.255.255.255 10.200.0.0 0.0.0.255  <-----------@%#$%@

 deny   ip any any log





This looks pretty bad for a VPN box running a Firewall feature set IOS 

seen as the best candidate for VPN for small offices.



The worst is the reply from Cisco:

-------------------------------------------------------------------

We will be addressing this in the next few months however

the release time frame could be as late as the end

of the year.

 

We do have plans to address it but do

not expect it in a released image until the

last calendar quarter of the year. If its possible we

can get it done and released sooner than what I've

mentioned, we will do it, no guarantees however.

------------------------------------------------------------------- 



We would have hope that they put more resources and concern in solving 

security issue.





<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру