RE: Cisco VPN Client - Stateful Firewall

• Previous message: Brenda B Gombosky: "Re: Patch manager for IBM AIX"
• Maybe in reply to: Omar Khawaja: "Cisco VPN Client - Stateful Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 25 Feb 2004 15:28:15 -0600
To: "Rosenhan, David" <David.Rosenhan@swiftbrands.com>

Not true!

The stateful firewall feature functions independently of an IPSEC tunnel.

If a user has Stateful firewall checked, the computer will be basically
hidden from the network, except for connections that it establishes (starts
the state).

If a use later decides to establish a VPN Tunnel, it's treated like any
other traffic, it's allowed and it's in the state table as allowed traffic
back in.

It does not limit/stop/block outbound traffic. Only inbound traffic.

As far as remote testing it. The box does not even respond to pings.

If you worked for Cisco on the VPN team you should know this.

 From the Manual for 3.6

The VPN Client includes an integrated stateful firewall that provides
protection when split tunneling is
in effect and protects the VPN Client PC from Internet attacks while the
VPN Client is connected to a
VPN Concentrator through an IPSec tunnel. This integrated firewall includes
a feature called Stateful
Firewall (Always On).
Stateful Firewall (Always On) provides even tighter security. When enabled,
this feature allows no
inbound sessions from all networks, whether or not a VPN connection is in
effect. Also, the firewall is
active for both encrypted and non encrypted traffic. There are two
exceptions to this rule. The first is
DHCP, which sends requests to the DHCP server out one port but receives
responses from DHCP
through a different port. For DHCP, the stateful firewall allows inbound
traffic. The second is ESP. The
stateful firewall allows ESP traffic from the secure gateway, because ESP
rules are packet filters and not
session-based filters.

 From the 4.0

The VPN Client includes an integrated stateful firewall that provides
protection when split tunneling is
in effect and protects the VPN Client PC from Internet attacks while the
VPN Client is connected to a
VPN Concentrator through an IPSec tunnel. This integrated firewall includes
a feature called Stateful
Firewall (Always On).
Stateful Firewall (Always On) provides even tighter security. When enabled,
this feature allows no
inbound sessions from all networks, regardless of whether a VPN connection
is in effect. Also, the
firewall is active for both encrypted and unencrypted traffic. There are
two exceptions to this rule:
• DHCP, which sends requests to the DHCP server out one port but receives
responses from DHCP
through a different port. For DHCP, the stateful firewall allows inbound
traffic.
• ESP - The stateful firewall allows ESP traffic from the secure gateway,
because ESP rules are packet
filters and not session-based filters. For the latest information on other
exceptions, if any, refer to
Release Notes for Cisco VPN Client for Windows.

At 15:44 02/24/2004, Rosenhan, David wrote:
>Omar,
>
>I used to work for Cisco on the VPN team and when the VPN client
>stateful firewall was checked it only allowed outgoing connections for
>ESP and ISAKMP traffic, basically it blocked everything but VPN traffic
>incoming and outgoing. It is a very basic firewall, mostly used for
>users that are not doing any split-tunneling and if you can't afford a
>3rd party firewall solution.
>
>I would suggest enabling it and then run a program called LanGuard
>against the IP address of the computer. LanGaurd has a 30 day trial
>version out there you can download, you will probably need to google it.
> From here you should be able to tell what is left open when it is
>enabled.
>
>Thanks!
>
>David Rosenhan, CCNP
>Information Technology
>
>
>-----Original Message-----
>From: Omar Khawaja [mailto:omarkhawaja@yahoo.com]
>Sent: Monday, February 23, 2004 9:01 AM
>To: security-basics@securityfocus.com
>Subject: Cisco VPN Client - Stateful Firewall
>
>Does anyone have any thoughts on how secure the "Stateful Firewall",
>that is
>integrated with the Cisco VPN Client, is? I was hoping someone may have
>done
>some penetration testing targeted at this particular feature of the
>product.
>___
>Omar Khawaja
>
>
>
>------------------------------------------------------------------------
>---
>Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
>Protect your network with the comprehensive security solution that
>integrates six applications for ease of use and lower TCO.
>
>Firewall - Virus protection - Spam protection - URL blocking - VPN
>- Wireless security.
>
>Download 30-day evaluation at:
>http://www.securityfocus.com/sponsor/Astaro_security-basics_040219
>------------------------------------------------------------------------
>----
>
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Brenda B Gombosky: "Re: Patch manager for IBM AIX"
• Maybe in reply to: Omar Khawaja: "Cisco VPN Client - Stateful Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]