RE: Netscreen 5XT SSH Traffic
From: Dante Mercurio (Dante_at_webcti.com)
Date: 03/18/05
- Previous message: Leif Ericksen: "Re: Administrivia: Good mailing list social graces."
- Maybe in reply to: Ben Blakely: "Netscreen 5XT SSH Traffic"
- Next in thread: Michael Peppard: "Re: Netscreen 5XT SSH Traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Mar 2005 14:38:47 -0500 To: <jnichols@pbp.net>, "Ben Blakely" <blakely@krellinst.org>
I can't tell from your email what indications you currently have that
this came through the firewall and was not spoofed from the inside in
some manner. I've always found the Netscreen to be a pretty secure
device and this would be a serious flaw.
Are there any other methods onto the network such as dial-in, VPN, or
vendor connections? Attacks can originate from any of these without a
flaw in the firewall software.
M. Dante Mercurio, CISSP, CWNA, Security+, SCSP
-----Original Message-----
From: Jonathan Nichols [mailto:jnichols@pbp.net]
Sent: Friday, March 18, 2005 12:33 PM
To: Ben Blakely
Cc: incidents@securityfocus.org
Subject: Re: Netscreen 5XT SSH Traffic
Ben Blakely wrote:
> Hello List,
>
> I'm the admin for a small network that uses a NetScreen 5XT firewall
as
> the border access control device. Just like everyone else, we get a
> pretty constant stream of SSH login attempts to our full range of IPs.
> This doesn't concern us too much as our root logins are disabled and
we
> enforce strong passwords. However, several days ago we started seeing
> SSH (v2, port 22) login attempts to machines that the firewall should
> not be allowing SSH traffic to in the first place. Unfortunately this
> happened overnight and our log vault machine was experiencing
unrelated
> problems. Due to this I wasn't able to capture any of the traffic for
> closer dissection. The only conclusion we were able to reach here was
> that perhaps there is a state table poisoning bug in the NetScreen
code
> that tricked the firewall into thinking the traffic had originated as
> egress. Is this a reasonable conclusion? To be honest that seems
like
> a bit of a reach, does anyone else have any experience with similar
> incidents or any possible explanations? I'll happy to clarify
anything
> I can with the data I have, thanks for your time everyone.
>
> /ben Blakely
Have you contacted Netscreen/Juniper TAC about this? There are ways to
capture packets on the 5XT itself for analysis. Do you have another host
that you can use to test this from the outside? If it's an internal box
that shouldn't be allowed SSH access, you oughta be able to test that
from a machine outside the network.
I'd definitely contact the TAC about this, and have them review the
firewall rules as well. It's possible that there's a rule that's
overriding your deny SSH rule.
- Previous message: Leif Ericksen: "Re: Administrivia: Good mailing list social graces."
- Maybe in reply to: Ben Blakely: "Netscreen 5XT SSH Traffic"
- Next in thread: Michael Peppard: "Re: Netscreen 5XT SSH Traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
