[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Username sent in clear-text for VPN connections
Hi all, I have noticed a behaviour with VPN-1 where the remote users name is sent in clear text to the Firewall. (Using IKE with FW-1 4.1 SP3). The initiating ISAKMP packet (UDP) contains the username - placing it inside the Identification Payload, and uses the Identification Type Value of "ID_USER_FQDN". So it doesn't use the RFC suggested format of <username>@<domain-name> for this value, but puts the username entered into the VPN-1 Secure Client authentication window instead. I can only assume it does this so that it has a value it can compare againt the rulebase for "Add Users Access" rules? Unfortunately, if you were planning on a brute-force guess attempt against someones VPN and you could capture part of the data stream, you immediately have half of the password with the User Name. The other behaviour I noticed, was that the remote client sends its ISAKMP Proposal Payload, with (4) Transformation Payloads inside. These Proposals are listed in order of preference for the initiating user, and according to the RFC, the other end of the VPN (the Firewall) should respond with the most favourable method of encryption that it is capable of. The 4 proposed Transformation Payloads for my user (who is set up in the Rulebase with the options: Encryption Method - IKE, Authentication Scheme Used - Password, Transform - ESP, Data Integrity - SHA1, Algorithm - DES) are: 1) 3DES Encryption with SHA Data Integrity 2) 3DES Encryption with MD5 Data Integrity 3) DES Encryption with SHA Data Integrity 4) DES Encryption with MD5 Data Integrity The response from the Firewall is to use option 4 - even though the User has been set up in the rulebase effectively for option 3. Has anyone been able to make Checkpoint use DES with SHA for VPN connections? I would be interested to hear any comments from anyone on this list about what i have seen. Cheers, -jonny -- Jonny Robertson Wellington, New Zealand ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|