The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Firewall-1 Reserved Keywords Vulnerability


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
X-RDate: Tue, 12 May 1998 11:59:40 +0600 (YEKST)
X-UIDL: 35317d3400000244
Date: Mon, 11 May 1998 12:33:58 -0500
From: Aleph One <aleph1@NATIONWIDE.NET.>
To: [email protected]
Subject: Firewall-1 Reserved Keywords Vulnerability

This vulnerability in Firewall-1 has been made public by CheckPoint
but hasn't been well publicized.

Most of this information is taken verbatim from the CheckPoint web page
on this issue. You can find this page at
http://www.checkpoint.com/techsupport/config/keywords.html

Summary:

If you use one of several reserved keywords to represent any user defined
object in a rule the default definition of "ANY" will be used instead.
This behavior may grant (or deny) access to a greater number of addresses
or services than expected.

Description:

The following keywords should not be used to represent any user defined
object in a FireWall-1 installation:

         Short, Long, Account, Alert, SnmpTrap, Mail, UserDefined, spoof,
         spoofalert, Auth, AuthAlert, Duplicate basewin, serviceswin,
         netobjwin, viewwin, users, resources, time, true, false, last,
         first, status_alert, fwalert


If any of these keywords are used to represent either a network or a
service object and are subsequently used in a security policy, FireWall-1
will interpret the object definition as "undefined". If no other object is
used either in the source/destination or service field of the rule, then
the default address definition of "ANY" is used for that particular field.

Note that in practice only objects in the "tracking" menu of type "alert"
seem to behave this way. Objects such as "Long", of type "log", do not
show this behavior.

Example:

If you have a rule that allows SMTP access to a machine called "Mail" on
your DMZ you are actually giving SMTP access to any machines behind the
firewall.

Recommendations

If any of these keywords are defined as network objects or service objects
and used in a rule base, then the object should be renamed and the
security policy reloaded.

Additional Notes

Mechanisms are being built into future releases of FireWall-1 to prevent
using these keywords as user defined objects.


Aleph One / [email protected]
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру