Full Disclosure mailing list archives
Check Point statement on use of IKE Aggressive Mode
From: Scott.Register () us checkpoint com (Scott Walker Register)
Date: Tue, 3 Sep 2002 17:14:40 -0400
A document has recently been published alleging vulnerabilities in the Check Point VPN-1/FireWall-1 product, involving the use of SecuRemote/SecureClient and IKE Aggressive mode. Check Point does not recommend the use of IKE Aggressive Mode, because of many well-known limitations in the protocol, and the Check Point products offer much more secure alternatives. In the vulnerability claim document, two issues were presented: 1) usernames are passed in cleartext using IKE Aggressive Mode 2) usernames are susceptible to brute-force guessing when using IKE Aggressive Mode The first item is merely an accurate description of the IKE protocol. Check Point has no bug or vulnerability, but has correctly implemented the IKE standard for Aggressive Mode. The passing of usernames in cleartext is common to any vendors of IKE products who support Aggressive Mode. The claim of a vulnerability is incorrect. Because of such well-known weaknesses in the IKE Aggressive Mode standard, Check Point authored and published an extension called Hybrid Mode which allows the secure use of all supported authentication schemes (e.g., RADIUS or TACACS) without sending usernames in cleartext. This extension has been incorporated in the product since the 4.1 SP1 release (February 2000), with hybrid mode recommended over Aggressive Mode for enhanced security. The second item exists only in VPN-1/FireWall-1 v4.1 modules which are still configured to support SecuRemote/SecureClient connections using IKE Aggressive Mode, despite the availability of more secure options in the product. Note, again, that the guessable usernames in this scenario are, by design of the IKE protocol, sent in cleartext. By default, Aggressive Mode is not enabled in NG. In 4.1, the recommended configuration is to disable Aggressive Mode and use Hybrid Mode instead (which involves no change to the user experience). Scott Walker Register FireWall-1 Product Manager Check Point Software Technologies, Inc. ph: 561.989.5418 fax: 561.997.9392
Current thread:
- Check Point statement on use of IKE Aggressive Mode Scott Walker Register (Sep 03)