[NEWS] SMC Barricade's Dodgy "DMZ" Feature

From: support@securiteam.com
Date: 12/28/01


From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 28 Dec 2001 13:29:47 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  SMC Barricade's Dodgy "DMZ" Feature
------------------------------------------------------------------------

SUMMARY

 
<http://www.smc.com/index.cfm?action=products_show_product&productcode=SMC7004ABR> SMC Barricade (SMC7004ABR) is a all-in-one networking solution for home and small business users. A security related design flaw in the product does not separate internal hosts from DMZed networks as it should, allowing compromised hosts in the DMZ full access to the internal network.

DETAILS

As many of us know, hosts in a DMZ ("De-Militarized Zone") should not be
able to initiate connections to internal LAN hosts. The whole point of
having a DMZ is to prevent LAN hosts from also being compromised, should a
DMZ host be compromised (from having its connected-to-from-the-internet
services, like web or ftp, compromised). However, when you set one of your
LAN hosts to be the "virtual DMZ host" in SMC Barricade, that host can
still connect in any usual way (i.e. ping, SSH, etc) to the other LAN
hosts. In other words, the "virtual DMZ host" is still part of the LAN,
not "quarantined" somehow in a little network of its own.

Vendor response:
SMC has explained this by using a different definition of a DMZ, which
basically goes like this: when you want to use network software that
doesn't use standard ports (like ICQ file transfers), it's convenient to
be able to back off all the firewall rules for a given host, so all ports
are available. You will notice this definition results in less security,
not more. According to SMC, this definition is the norm used by virtually
all other home firewall appliance manufacturers, apparently, this makes it
OK.

Possible solutions:
Do not use the DMZ feature on the Barricade, add firewalling rules on all
LAN boxes to protect them from the DMZ host. Although cumbersome, this
should approximate the functionality of a DMZ.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:Dustin.Harriman@AnalogSynthesis.com> Dustin Harriman.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • SMC Barricades dodgy "DMZ" feature
    ... I've tested one home firewall appliance (that claims to offer "DMZ" ... functionality) that doesn't offer the security that a (traditionally- ... prevent LAN hosts from also being compromised, ...
    (Bugtraq)
  • [EXPL] WebDAV Exploit Code Released
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerability in WebDAV allows a remote attacker to cause the server to ... my $host; # Host being probed. ... }; # end host subroutine. ...
    (Securiteam)
  • Re: DMZ NT4 TO Internal 2000 AD One-Way Trust via Firewall
    ... leverage an effectivity security policy to ensure that password complexities ... > currently a mess of local and domain users, no security policy, etc. ... DMZ, not publicly accessible) that aren't going away within the stated ... to non-DC web servers in the DMZ on 80 and 443 - none of which are directed ...
    (microsoft.public.windows.server.active_directory)
  • Re: McAfee and Comcast
    ... The reason I wanted to check it out is both their anti-virus and firewall include HIPS (host intrusion protection system) which would integrate well together. ... I'm just using the free versions so not all the security features are there. ...
    (microsoft.public.windowsxp.basics)
  • Re: McAfee and Comcast
    ... I wanted to check it out is both their anti-virus and firewall include ... HIPS (host intrusion protection system) which would integrate well ... versions so not all the security features are there. ...
    (microsoft.public.windowsxp.basics)