Penetration Testing mailing list archives

Re: [PEN-TEST] PIX Firewall Question

From: "NetW3.COM Consulting" <netw3 () NETW3 COM>
Date: Thu, 30 Nov 2000 23:39:13 -0600

At 03:49 PM 11/30/2000 -0500, you wrote:

Does anybody have any idea of what ports show up on a PIX firewall?
Does PIX run on Cisco IOS?


An Internet-in scan of a PIX firewall I work with indicated
that only port 443 was seen to be open when scanned with nmap.
In this case, port 443 was opened intentionally with a static
nat and a conduit allow statement. I performed some other scans
with namp, I forget the flags, perhaps FIN-ACK or some other
attempt at tricking firewall state; this scan demonstrated the
filtered telnet port. The telnet port was actually only open
on the interface to the inside network and the protected DMZ;
the outside denied everything but icmp (I know, not the best
choice of allows) and TCP 443 yet nmap was able to detect
the listening port on the DMZ/internal interface from the outside.
I don't know if there is actually any real exploitability from
this, but it at least offers the chance to study their
implementation of filtering.

Scanning the firewall interface from the internal network
revealed one more port open in addition to 443, and it was
not a port that we opened intentionally. I can't recall
the port # off the top of my head, but I can get it to you if
you email me.

Some of my research with the PIX, mostly involving analysis of
the syslog entries that appear when certain types of attacks are
attempted, can be found at http://www.sans.org/y2k/110300.htm
in the SANS Institute Global Incident Analysis Center (GIAC)
posting from that day. The GIAC is a great thing to read if you
are into intrusion detection and the like.

One of the things I found, at least with one particular configuration
of the PIX, is that when the firewall IP address itself is attacked
in certain ways, the syslog does not indicate the attack details
and appears to be looking only for an IPSec packet; not finding an
IPSec packet, it pukes but provides no information on the attack
that it was just hit with. Of course an IDS could pick this up, but
for organizations that rely on syslog this is not a good thing.
I would love to discuss this with other PIX owners and try to
understand what's going on.


Curt Wilson
Netw3.com consulting




=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
| Curt R. Wilson   *   NetW3.COM Consulting    www.netw3.com  |
|    Internet Security, Networking, PC tech,  WWW hosting     |
|  Serving Southern Illinois locally and the world virtually  |
|            netw3 () netw3 com     618-353-7418                 |
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Current thread:

[PEN-TEST] PIX Firewall Question Anubis The Godfather of Soul (Dec 01)
- Re: [PEN-TEST] PIX Firewall Question Dom De Vitto (Dec 01)
  - Re: [PEN-TEST] PIX Firewall Question Jon Vandiveer (Dec 01)
    - Re: [PEN-TEST] PIX Firewall Question Anubis The Godfather of Soul (Dec 02)
- Re: [PEN-TEST] PIX Firewall Question Bill Bradd (Dec 02)
- Re: [PEN-TEST] PIX Firewall Question NetW3.COM Consulting (Dec 02)
- <Possible follow-ups>
- Re: [PEN-TEST] PIX Firewall Question Christopher Reining (Dec 02)
- Re: [PEN-TEST] PIX Firewall Question Randall, Mark (ISSCalifornia) (Dec 04)
- Re: [PEN-TEST] PIX Firewall Question Eduardo_Campos . CREDOMATIC (Dec 05)