[NEWS] Symantec Firewall/VPN Appliance Internal LAN Sniffing Issue

From: support@securiteam.com
Date: 10/26/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 26 Oct 2002 18:03:50 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Symantec Firewall/VPN Appliance Internal LAN Sniffing Issue
------------------------------------------------------------------------

SUMMARY

Symantec is aware of a reported ARP Poisoning issue with Symantec's
Firewall/VPN product reported on the BugTraq mailing list. Symantec became
aware of a potential ARP Poisoning issue that only occurs on the trusted
LAN ports of the affected appliances. This issue could affect Symantec
Firewall/VPN Appliance deployments and could potentially allow a malicious
internal user to use ARP poisoning techniques to intercept traffic that is
intended for the management port.

DETAILS

Vulnerable systems:
 * Symantec Firewall/VPN 100 (all firmware versions)
 * Symantec Firewall/VPN 200 (all firmware versions)
 * Symantec Firewall/VPN 200R (all firmware versions)

Users inside corporate network (LAN) are able to sniff administrator's
password by means of ARP poisoning.

To avoid this problem Juan de la Fuente Costa tried to hardcode
administrator's MAC address inside firewall's configuration. But this was
not a working solution, as there was possible to perform the attack under
this scenario too.

Symantec Recommendation:
Symantec has determined that the Symantec Firewall/VPN appliances operate
as designed. However, the following procedures can be implemented if a
secure internal remote administration is required.
The Symantec Firewall/VPN Appliances can be remotely managed securely
using IPSEC technology through the outside WAN ports. Symantec recommends
that if ARP poisoning is of concern in your internal environment, you
manage the appliance through a gateway-to-gateway VPN tunnel on the model
100/200/200R or through a client-to-gateway VPN tunnel on the model 200R.
In addition, administrators can use the second WAN port of the 200/200R as
an isolated local management port, thus preventing a rogue internal user
from sniffing the directly connected wire.

To protect against ARP attacks requires a combination of techniques and
tools. For example, there are tools available in the field that will alert
administrators when an ARP request has caused a change in MAC-IP address
entry. These are useful for detecting anomalies, however, they often
require making trade offs in network management - for example, DHCP must
be disabled. Additional protection is sometimes provided natively by
operating systems. Certain Microsoft operating systems will detect a
duplicate IP address on a LAN (an indication of a possible ARP spoof
attack). Others allow you to lock down ARP entries in your ARP table so
that once the table is populated; a rogue system is not able to reset the
ARP entry to another MAC or IP address. Another alternative is to encrypt
all traffic using secured protocols such SSL, SSH, or IPSEC to provide
data confidentiality and data integrity for sensitive communication.

ADDITIONAL INFORMATION

The information has been provided by
 and <mailto:symsecurity@symantec.com> Sym Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.