Penetration Testing mailing list archives
Re: [PEN-TEST] PIX Firewall Question
From: "NetW3.COM Consulting" <netw3 () NETW3 COM>
Date: Thu, 30 Nov 2000 23:39:13 -0600
At 03:49 PM 11/30/2000 -0500, you wrote:
Does anybody have any idea of what ports show up on a PIX firewall? Does PIX run on Cisco IOS?
An Internet-in scan of a PIX firewall I work with indicated that only port 443 was seen to be open when scanned with nmap. In this case, port 443 was opened intentionally with a static nat and a conduit allow statement. I performed some other scans with namp, I forget the flags, perhaps FIN-ACK or some other attempt at tricking firewall state; this scan demonstrated the filtered telnet port. The telnet port was actually only open on the interface to the inside network and the protected DMZ; the outside denied everything but icmp (I know, not the best choice of allows) and TCP 443 yet nmap was able to detect the listening port on the DMZ/internal interface from the outside. I don't know if there is actually any real exploitability from this, but it at least offers the chance to study their implementation of filtering. Scanning the firewall interface from the internal network revealed one more port open in addition to 443, and it was not a port that we opened intentionally. I can't recall the port # off the top of my head, but I can get it to you if you email me. Some of my research with the PIX, mostly involving analysis of the syslog entries that appear when certain types of attacks are attempted, can be found at http://www.sans.org/y2k/110300.htm in the SANS Institute Global Incident Analysis Center (GIAC) posting from that day. The GIAC is a great thing to read if you are into intrusion detection and the like. One of the things I found, at least with one particular configuration of the PIX, is that when the firewall IP address itself is attacked in certain ways, the syslog does not indicate the attack details and appears to be looking only for an IPSec packet; not finding an IPSec packet, it pukes but provides no information on the attack that it was just hit with. Of course an IDS could pick this up, but for organizations that rely on syslog this is not a good thing. I would love to discuss this with other PIX owners and try to understand what's going on. Curt Wilson Netw3.com consulting =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | Curt R. Wilson * NetW3.COM Consulting www.netw3.com | | Internet Security, Networking, PC tech, WWW hosting | | Serving Southern Illinois locally and the world virtually | | netw3 () netw3 com 618-353-7418 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Current thread:
- [PEN-TEST] PIX Firewall Question Anubis The Godfather of Soul (Dec 01)
- Re: [PEN-TEST] PIX Firewall Question Dom De Vitto (Dec 01)
- Re: [PEN-TEST] PIX Firewall Question Jon Vandiveer (Dec 01)
- Re: [PEN-TEST] PIX Firewall Question Anubis The Godfather of Soul (Dec 02)
- Re: [PEN-TEST] PIX Firewall Question Jon Vandiveer (Dec 01)
- Re: [PEN-TEST] PIX Firewall Question Bill Bradd (Dec 02)
- Re: [PEN-TEST] PIX Firewall Question NetW3.COM Consulting (Dec 02)
- <Possible follow-ups>
- Re: [PEN-TEST] PIX Firewall Question Christopher Reining (Dec 02)
- Re: [PEN-TEST] PIX Firewall Question Randall, Mark (ISSCalifornia) (Dec 04)
- Re: [PEN-TEST] PIX Firewall Question Eduardo_Campos . CREDOMATIC (Dec 05)
- Re: [PEN-TEST] PIX Firewall Question Dom De Vitto (Dec 01)