[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] security hole isakmp
Title: RE: [FW-1] security hole isakmp
Please also note that UDP port scanning is an inexact science. If you receive an affirmative reponse of some sort (e.g. reply to dns query), then the port is obviously open. If you receive an ICMP "port unreachable" from the destination host, it is quite likely that the port is indeed closed. However, if you receive no response, this can either mean that:
- The packet got lost in transit (e.g. access list, firewall, internet packet loss, etc)
- The port is open, but simply received the packet and did not deem it necessary to reply
- The port is closed, and the destination host returned an ICMP unreachable, but some device between you and the destination host dropped the icmp "unreachable". Although this is not great from an internet citizenship perspective, it is not an altogether uncommon practice.
HTH
Dan Hitchcock
CCNP, CCSE, MCSE
Security Operations Technical Lead
Breakwater Security Associates, Inc.
"Safe Harbor for Your Business"
dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com
work
-----Original Message-----
From: Mike Glassman - Admin [mailto:[email protected]]
Sent: Thursday, May 02, 2002 6:08 AM
To: [email protected]
Subject: Re: [FW-1] security hole isakmp
Jochen,
Some of these scanners will scan for open ports but not actually bother to try and access them if they find them. On finding a port they will use their internal database to tell you what vulnurability they found and the dangers from it.
It seems that this is the case here. A scan found the port was available, and told you you were vulnurable. The tru case is that even though the port may be scannable from the outside, it is not in fact accesable (not open), so you are not vulnurable.
Mike
> -----Original Message-----
> From: Jochen Vogel [SMTP:[email protected]]
> Sent: > ä îàé 02 2002 12:45
> To: [email protected]
> Subject: [FW-1] security hole isakmp
>
> hi,
>
> i scanned the firewall with nessus and get the following result
>
> . List of open ports :
> o isakmp (500/udp) (Security hole found)
>
> . Vulnerability found on port isakmp (500/udp) :
>
>
> The remote IPSEC server seems to have a problem negotiating
> bogus IKE requests.
>
> An attacker may use this flaw to disable your VPN remotely
>
> Solution: Contact your vendor for a patch
> Risk factor:
> High
>
> if i view the firwall log i saw that the connection to udp/500 was rejected
>
> if i make a tcpdump i saw that the port was unreachable
> 12:37:48.056664 scanner.1500 > firewall: udp 0
> 12:37:48.056684 firewall > scanner: icmp: 213.61.74.2 udp port 500
> unreachable
>
> -does anybody know why nessus find the hole?
> -is there a workaround for this problem?
>
> thx for help
> Jo
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
