Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Username sent in clear-text for VPN connections

To: <[email protected]>
Subject: [FW1] Username sent in clear-text for VPN connections
From: jonny robertson <[email protected]>
Date: Wed, 25 Jul 2001 08:38:23 +1200 (NZST)
Sender: [email protected]

Hi all,

I have noticed a behaviour with VPN-1 where the remote users
name is sent in clear text to the Firewall.
(Using IKE with FW-1 4.1 SP3).

The initiating ISAKMP packet (UDP) contains the username - placing it
inside the Identification Payload, and uses the Identification Type Value
of "ID_USER_FQDN".
So it doesn't use the RFC suggested format of <username>@<domain-name>
for this value, but puts the username entered into the VPN-1 Secure Client authentication
window instead.

I can only assume it does this so that it has a value it can compare
againt the rulebase for "Add Users Access" rules?

Unfortunately, if you were planning on a brute-force guess attempt against
someones VPN and you could capture part of the data stream, you
immediately have half of the password with the User Name.

The other behaviour I noticed, was that the remote client sends its ISAKMP
Proposal Payload, with (4) Transformation Payloads inside.
These Proposals are listed in order of preference for the initiating user,
and according to the RFC, the other end of the VPN (the Firewall) should
respond with the most favourable method of encryption that it is capable of.

The 4 proposed Transformation Payloads for my user (who is set up in the
Rulebase with the options: Encryption Method - IKE, Authentication Scheme
Used - Password, Transform - ESP, Data Integrity - SHA1, Algorithm - DES)
are:

1) 3DES Encryption with SHA Data Integrity
2) 3DES Encryption with MD5 Data Integrity
3) DES Encryption with SHA Data Integrity
4) DES Encryption with MD5 Data Integrity

The response from the Firewall is to use option 4 - even though the User
has been set up in the rulebase effectively for option 3.

Has anyone been able to make Checkpoint use DES with SHA for VPN
connections?

I would be interested to hear any comments from anyone on this list about
what i have seen.

Cheers,
-jonny


--

Jonny Robertson
Wellington,
New Zealand




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- [FW1] IKE mode for Secure Client connections
  - From: [email protected]

Prev by Date: [FW1] question about retrieving log THROUGH another inspection module
Next by Date: RE: [FW1] A Serious Delay on Out going Mail
Previous by thread: [FW1] question about retrieving log THROUGH another inspection module
Next by thread: [FW1] IKE mode for Secure Client connections
Index(es):
- Date
- Thread