OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Scott Walker Register (scott.register_at_us.checkpoint.com)
Date: Tue Sep 03 2002 - 16:14:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    A document has recently been published alleging vulnerabilities in the Check
    Point VPN-1/FireWall-1 product, involving the use of SecuRemote/SecureClient
    and IKE Aggressive mode. Check Point does not recommend the use of IKE
    Aggressive Mode, because of many well-known limitations in the protocol, and
    the Check Point products offer much more secure alternatives.

    In the vulnerability claim document, two issues were presented:
      1) usernames are passed in cleartext using IKE Aggressive Mode
      2) usernames are susceptible to brute-force guessing when using IKE
    Aggressive Mode

    The first item is merely an accurate description of the IKE protocol. Check
    Point has no bug or vulnerability, but has correctly implemented the IKE
    standard for Aggressive Mode. The passing of usernames in cleartext is
    common to any vendors of IKE products who support Aggressive Mode. The
    claim of a vulnerability is incorrect.

    Because of such well-known weaknesses in the IKE Aggressive Mode standard,
    Check Point authored and published an extension called Hybrid Mode which
    allows the secure use of all supported authentication schemes (e.g., RADIUS
    or TACACS) without sending usernames in cleartext. This extension has been
    incorporated in the product since the 4.1 SP1 release (February 2000), with
    hybrid mode recommended over Aggressive Mode for enhanced security.

    The second item exists only in VPN-1/FireWall-1 v4.1 modules which are still
    configured to support SecuRemote/SecureClient connections using IKE
    Aggressive Mode, despite the availability of more secure options in the
    product. Note, again, that the guessable usernames in this scenario are, by
    design of the IKE protocol, sent in cleartext. By default, Aggressive Mode
    is not enabled in NG. In 4.1, the recommended configuration is to disable
    Aggressive Mode and use Hybrid Mode instead (which involves no change to the
    user experience).

    Scott Walker Register
    FireWall-1 Product Manager
    Check Point Software Technologies, Inc.
    ph: 561.989.5418 fax: 561.997.9392

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html