[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: Re: [Sidewinder] Migrating from Gauntlet 6.0 to SideWinder G2
From: sidewinder () adeptech ! com
Date: 2004-06-07 13:19:38
Message-ID: 200406071353.i57DrVq15436 () aag ! adeptech ! com
[Download RAW message or body]
I have a copy of the scripts you are talking about. The scripts are
written in python, only the source code is provided, and their is NO
documentation. For the most part, it is fairly obvious how to use the
scripts though.
I also found a few bugs in those scripts too. It doesn't handle multple
ports correctly. The script will combine the ports list into a single
port. For example port 100 and 150 would end up port 100150. Without
the source, this is impossible to fix. They try to migrate some of the
default configuration that makes no sense (ie. netacl, mail, and a few
other settings).
I wrote a perl script so that it would be more portable and could run on
an existing firewall if it had perl loaded or even a Windows PC that had
perl loaded. My script does not currently port as many features as the
ones from SCC though. It does not port static routes, plug proxies, or
the authentication database. However, I there are often only a few of
these that I will need to port anyway.
sidewinder@adeptech.com wrote:
>Secure Computing already has scripts that you should be able to obtain
>for migrating from Gauntlet 6.0 to Sidewinder 6.X. Call tech support and
>they should be able to assist you.
>
>-----Original Message-----
>From: sidewinder-bounces@adeptech.com
>[mailto:sidewinder-bounces@adeptech.com] On Behalf Of
>sidewinder-request@adeptech.com
>Sent: Friday, June 04, 2004 11:00 AM
>To: sidewinder@adeptech.com
>Subject: Sidewinder Digest, Vol 3, Issue 2
>
>
>Send Sidewinder mailing list submissions to
> sidewinder@adeptech.com
>
>To subscribe or unsubscribe via the World Wide Web, visit
> http://mail.adeptech.com/mailman/listinfo/sidewinder
>or, via email, send a message with subject or body 'help' to
> sidewinder-request@adeptech.com
>
>You can reach the person managing the list at
> sidewinder-owner@adeptech.com
>
>When replying, please edit your Subject line so it is more specific than
>"Re: Contents of Sidewinder digest..."
>
>
>Today's Topics:
>
> 1. Socks5 Error on Sidewinder 6.1 / Patch 2 (sidewinder@adeptech.com)
> 2. Assesed Vulnerabilities on G2 6.1 to tackle
> (sidewinder@adeptech.com)
> 3. Re: Assesed Vulnerabilities on G2 6.1 to tackle
> (sidewinder@adeptech.com)
> 4. RE: Assesed Vulnerabilities on G2 6.1 to tackle
> (sidewinder@adeptech.com)
> 5. Migrating from Gauntlet 6.0 to SideWinder G2
> (sidewinder@adeptech.com)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Thu, 03 Jun 2004 16:40:16 +0200
>From: sidewinder@adeptech.com
>Subject: [Sidewinder] Socks5 Error on Sidewinder 6.1 / Patch 2
>To: <sidewinder@adeptech.com>
>Message-ID: <200406031445.i53EjDYf022089@dak.adeptech.com>
>Content-Type: text/plain; charset=US-ASCII
>
>Hello,
>
>does anybody use Socks5 on Sidewinder 6.1 with Patch 2 ?
>
>I try to use it but I always get this error message:
>
>Jun 1 20:14:26 2004 CEST f_kernel a_tepm t_dmnprivdenied p_major
>pid: 211 ruid: 0 euid: 0 pgid: 211 fid: 0 logid: 0 cmd: 'socks5p'
>domain: Sokx edomain: Sokx permwanted: 256 permgranted: 2048
>srcdmn: Sokx
>OP: 0x4000038 wanted perm: 0x100<spoofaddr> granted perm: 0x800<mate>
>
>It seems that this problem comes after installing patch 2. With Patch 1
>I had no problems.
>
>Does anybody else have this problem ?
>
>Regards,
>
>Joerg Sippel
>
>
>
>
>------------------------------
>
>Message: 2
>Date: Fri, 4 Jun 2004 00:24:29 +0530
>From: sidewinder@adeptech.com
>Subject: [Sidewinder] Assesed Vulnerabilities on G2 6.1 to tackle
>To: <sidewinder@adeptech.com>
>Message-ID: <200406040701.i5471hYf025773@dak.adeptech.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Hi
>
>We ran an vulnerability assessment on G2 6.1 (with latest patches) and
>had these vulnerabilities reported. Have anyone encountered such issues
>to tackle? Do share how you went about.
>
>1. The remote host does not discard TCP SYN packets which have the FIN
>flag set.
>
> Depending on the kind of firewall you are using, an attacker may
>use this flaw to bypass its rules.
>
> See also :
>http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
> http://www.kb.cert.org/vuls/id/464113
>
>2. The remote host uses non-random IP IDs, that is, it is possible to
>predict the next value of the ip_id field of the ip packets sent by this
>host.
>
> An attacker may use this feature to determine traffic patterns
> within your network. A few examples (not at all exhaustive)
>are:
>
> a. A remote attacker can determine if the remote host sent a
>packet
> in reply to another request. Specifically, an attacker can use
>your
> server as an unwilling participant in a blind portscan of
>another
> network.
>
> b. A remote attacker can roughly determine server requests at
>certain
> times of the day. For instance, if the server is sending much
>more
> traffic after business hours, the server may be a reverse proxy
>or
> other remote access device. An attacker can use this
>information to
> concentrate his/her efforts on the more critical machines.
>
> c. A remote attacker can roughly estimate the number of requests
>that
> a web server processes over a period of time.
>
> On gauntlet we disabled the issue #1 and #2 by a packet filter
>rule. How is the same treated on Sidewinder G2
>
>
>3. The hosted sites Nated through the firewall allows http connect
>method and hence can be exploited as a open proxy as well as to generate
>spam.
>
> The issue #3 was defined and disabled on Gauntlet by customising
>the http proxy so that it was not allowing http connect method.
> What would be the corresponding rule on Sidewinder G2?
>
>
>4. The remote name server could be fingerprinted as being one of the
>following : ISC BIND 9.2.1 ISC BIND 9.2.2
>
>5. The remote host answers to an ICMP timestamp request. This allows an
>attacker to know the date which is set on your machine.
>
> This may help him to defeat all your time based authentication
>protocols .
>
> Solution : filter out the ICMP timestamp requests (13), and the
>outgoingICMP
> timestamp replies (14).
> Risk factor : Low
> CVE : CAN-1999-0524
>
>Rgds
>Gopal
>Logix
>
>
>
>------------------------------
>
>Message: 3
>Date: Fri, 04 Jun 2004 10:37:57 -0400
>From: sidewinder@adeptech.com
>Subject: Re: [Sidewinder] Assesed Vulnerabilities on G2 6.1 to tackle
>To: sidewinder@adeptech.com
>Message-ID: <200406041439.i54EdEYf027873@dak.adeptech.com>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>There is a feature to turn off ICMP responses and it is OFF for the
>external burb and ON for the internal burb. You most likely scanned the
>
>internal burb. You can turn this off under the burb configuration (I
>believe that is the correct location).
>
>Via a directive in the BIND configuration file, you can return any
>version information you want. This may require a manual edit of the
>file though. You may also consider adding a chaos zone by hand, but I'm
>
>not sure how the DNS management GUI will handle this zone.
>
>You can also control the HTTP methods in SideWinder, though I haven't
>messed with this enough to provide details.
>
>A proxy should not be susceptable to the SYN-FIN attack. Though, packet
>
>filters may.
>
>Hope these help.
>
>sidewinder@adeptech.com wrote:
>
>
>
>>Hi
>>
>>We ran an vulnerability assessment on G2 6.1 (with latest patches) and
>>had these vulnerabilities reported. Have anyone encountered such issues
>>
>>
>
>
>
>>to tackle? Do share how you went about.
>>
>>1. The remote host does not discard TCP SYN packets which have the FIN
>>flag set.
>>
>> Depending on the kind of firewall you are using, an attacker may
>>
>>
>use
>
>
>>this flaw to bypass its rules.
>>
>> See also :
>>http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
>> http://www.kb.cert.org/vuls/id/464113
>>
>>2. The remote host uses non-random IP IDs, that is, it is possible to
>>predict the next value of the ip_id field of the ip packets sent by
>>this host.
>>
>> An attacker may use this feature to determine traffic patterns
>> within your network. A few examples (not at all exhaustive)
>>are:
>>
>> a. A remote attacker can determine if the remote host sent a
>>
>>
>packet
>
>
>> in reply to another request. Specifically, an attacker can use
>>your
>> server as an unwilling participant in a blind portscan of
>>another
>> network.
>>
>> b. A remote attacker can roughly determine server requests at
>>
>>
>certain
>
>
>> times of the day. For instance, if the server is sending much
>>more
>> traffic after business hours, the server may be a reverse proxy
>>or
>> other remote access device. An attacker can use this
>>information to
>> concentrate his/her efforts on the more critical machines.
>>
>> c. A remote attacker can roughly estimate the number of requests
>>
>>
>that
>
>
>> a web server processes over a period of time.
>>
>> On gauntlet we disabled the issue #1 and #2 by a packet filter
>>
>>
>rule.
>
>
>>How is the same treated on Sidewinder G2
>>
>>
>>3. The hosted sites Nated through the firewall allows http connect
>>method and hence can be exploited as a open proxy as well as to
>>generate spam.
>>
>> The issue #3 was defined and disabled on Gauntlet by customising
>>
>>
>the
>
>
>>http proxy so that it was not allowing http connect method.
>> What would be the corresponding rule on Sidewinder G2?
>>
>>
>>4. The remote name server could be fingerprinted as being one of the
>>following : ISC BIND 9.2.1
>>ISC BIND 9.2.2
>>
>>5. The remote host answers to an ICMP timestamp request. This allows an
>>
>>
>
>
>
>>attacker to know the date which is set on your machine.
>>
>> This may help him to defeat all your time based authentication
>>protocols .
>>
>> Solution : filter out the ICMP timestamp requests (13), and the
>>outgoingICMP
>> timestamp replies (14).
>> Risk factor : Low
>> CVE : CAN-1999-0524
>>
>>Rgds
>>Gopal
>>Logix
>>
>>_______________________________________________
>>Sidewinder mailing list
>>Sidewinder@adeptech.com
>>http://mail.adeptech.com/mailman/listinfo/sidewinder
>>
>>
>>
>>
>>
>>
>
>
>
--
-
- Bryan Swann (swann@spawar.navy.mil) 843/218-6610
- Eagan McAllister Associates, Inc.
-
- If we don't succeed, we run the risk of failure. - Dan Quayle
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic