RE: Cisco VPN Client - Stateful Firewall

From: Rosenhan, David (David.Rosenhan_at_swiftbrands.com)
Date: 02/25/04

  • Next message: Brenda B Gombosky: "Re: Patch manager for IBM AIX" 
    Date: Wed, 25 Feb 2004 14:40:56 -0700
To: <jamesworld@intelligencia.com>

    I understand the Docs, but you have to look at the reality of it. I
    have the VPN client installed, when I check the statefull firewall I
    can't do anything, even outbound connections from my laptop even if I am
    not running the VPN client and I don't have a tunnel established. I
    know what the docs say but you fail to mention the bugs with the
    statefull firewall.

    We ran into this bug all the time, mostly this bug is listed as internal
    to Cisco so you may not even see it on the Bug tool.

    In conclusion, don't use the statefull firewall, buy a third party
    firewall or download the free Zone Alarm firewall, it has more options,
    you can configure it and on top of that it works with policies pushed to
    it from a Cisco VPN concentrator.

    Thanks!!

    David Rosenhan, CCNP
    Information Technology
    Swift & Company

    -----Original Message-----
    From: jamesworld@intelligencia.com [mailto:jamesworld@intelligencia.com]

    Sent: Wednesday, February 25, 2004 2:28 PM
    To: Rosenhan, David
    Cc: Omar Khawaja; security-basics@securityfocus.com
    Subject: RE: Cisco VPN Client - Stateful Firewall

    Not true!

    The stateful firewall feature functions independently of an IPSEC
    tunnel.

    If a user has Stateful firewall checked, the computer will be basically
    hidden from the network, except for connections that it establishes
    (starts
    the state).

    If a use later decides to establish a VPN Tunnel, it's treated like any
    other traffic, it's allowed and it's in the state table as allowed
    traffic
    back in.

    It does not limit/stop/block outbound traffic. Only inbound traffic.

    As far as remote testing it. The box does not even respond to pings.

    If you worked for Cisco on the VPN team you should know this.

     From the Manual for 3.6

    The VPN Client includes an integrated stateful firewall that provides
    protection when split tunneling is
    in effect and protects the VPN Client PC from Internet attacks while the

    VPN Client is connected to a
    VPN Concentrator through an IPSec tunnel. This integrated firewall
    includes
    a feature called Stateful
    Firewall (Always On).
    Stateful Firewall (Always On) provides even tighter security. When
    enabled,
    this feature allows no
    inbound sessions from all networks, whether or not a VPN connection is
    in
    effect. Also, the firewall is
    active for both encrypted and non encrypted traffic. There are two
    exceptions to this rule. The first is
    DHCP, which sends requests to the DHCP server out one port but receives
    responses from DHCP
    through a different port. For DHCP, the stateful firewall allows inbound

    traffic. The second is ESP. The
    stateful firewall allows ESP traffic from the secure gateway, because
    ESP
    rules are packet filters and not
    session-based filters.

     From the 4.0

    The VPN Client includes an integrated stateful firewall that provides
    protection when split tunneling is
    in effect and protects the VPN Client PC from Internet attacks while the

    VPN Client is connected to a
    VPN Concentrator through an IPSec tunnel. This integrated firewall
    includes
    a feature called Stateful
    Firewall (Always On).
    Stateful Firewall (Always On) provides even tighter security. When
    enabled,
    this feature allows no
    inbound sessions from all networks, regardless of whether a VPN
    connection
    is in effect. Also, the
    firewall is active for both encrypted and unencrypted traffic. There are

    two exceptions to this rule:
    * DHCP, which sends requests to the DHCP server out one port but
    receives
    responses from DHCP
    through a different port. For DHCP, the stateful firewall allows inbound

    traffic.
    * ESP - The stateful firewall allows ESP traffic from the secure
    gateway,
    because ESP rules are packet
    filters and not session-based filters. For the latest information on
    other
    exceptions, if any, refer to
    Release Notes for Cisco VPN Client for Windows.

    At 15:44 02/24/2004, Rosenhan, David wrote:
    >Omar,
    >
    >I used to work for Cisco on the VPN team and when the VPN client
    >stateful firewall was checked it only allowed outgoing connections for
    >ESP and ISAKMP traffic, basically it blocked everything but VPN traffic
    >incoming and outgoing. It is a very basic firewall, mostly used for
    >users that are not doing any split-tunneling and if you can't afford a
    >3rd party firewall solution.
    >
    >I would suggest enabling it and then run a program called LanGuard
    >against the IP address of the computer. LanGaurd has a 30 day trial
    >version out there you can download, you will probably need to google
    it.
    > From here you should be able to tell what is left open when it is
    >enabled.
    >
    >Thanks!
    >
    >David Rosenhan, CCNP
    >Information Technology
    >
    >
    >-----Original Message-----
    >From: Omar Khawaja [mailto:omarkhawaja@yahoo.com]
    >Sent: Monday, February 23, 2004 9:01 AM
    >To: security-basics@securityfocus.com
    >Subject: Cisco VPN Client - Stateful Firewall
    >
    >Does anyone have any thoughts on how secure the "Stateful Firewall",
    >that is
    >integrated with the Cisco VPN Client, is? I was hoping someone may have
    >done
    >some penetration testing targeted at this particular feature of the
    >product.
    >___
    >Omar Khawaja
    >
    >
    >
    >-----------------------------------------------------------------------
    -
    >---
    >Free trial: Astaro Security Linux -- firewall with Spam/Virus
    Protection
    >
    >Protect your network with the comprehensive security solution that
    >integrates six applications for ease of use and lower TCO.
    >
    >Firewall - Virus protection - Spam protection - URL blocking - VPN
    >- Wireless security.
    >
    >Download 30-day evaluation at:
    >http://www.securityfocus.com/sponsor/Astaro_security-basics_040219
    >-----------------------------------------------------------------------
    -
    >----
    >
    >
    >----------------------------------------------------------------------- 

    ----
>-----------------------------------------------------------------------
-----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Brenda B Gombosky: "Re: Patch manager for IBM AIX"

    Relevant Pages

    • RE: Cisco VPN Client - Stateful Firewall
      ... Cisco VPN Client - Stateful Firewall ...
      (Security-Basics)
    • Found It. Cisco VPN Stateful firewall
      ... Cisco VPN client has a firewall built in. ... I had to disable the stateful firewall ) and everything worked fine. ... The homebuilt cannot see the Compaq and pings ...
      (microsoft.public.windowsxp.network_web)
    • RE: Cisco VPN Client - Stateful Firewall
      ... The stateful firewall feature functions independently of an IPSEC tunnel. ... The VPN Client includes an integrated stateful firewall that provides ...
      (Security-Basics)
    • Re: Computer does not respond to ping on network
      ... the stateful firewall seemed to ... the Cisco VPN client is installed. ... I will try uninstalling the ...
      (microsoft.public.windowsxp.network_web)
    • Re: Cisco VPN
      ... I had also found a setting called 'Stateful Firewall (Always ... When I unchecked this option I was able to gain access as well. ... > opens, go to the Transport tab and check Allow Local LAN Access. ... >> My company uses the Cisco VPN client for access to corporate information ...
      (microsoft.public.pocketpc)