|
|
|
|
| |
| Symantec is aware of a reported ARP Poisoning issue with Symantec's Firewall/VPN product reported on the BugTraq mailing list. Symantec became aware of a potential ARP Poisoning issue that only occurs on the trusted LAN ports of the affected appliances. This issue could affect Symantec Firewall/VPN Appliance deployments and could potentially allow a malicious internal user to use ARP poisoning techniques to intercept traffic that is intended for the management port. |
| |
Credit:
The information has been provided by
and Sym Security.
|
| |
Vulnerable systems:
* Symantec Firewall/VPN 100 (all firmware versions)
* Symantec Firewall/VPN 200 (all firmware versions)
* Symantec Firewall/VPN 200R (all firmware versions)
Users inside corporate network (LAN) are able to sniff administrator's password by means of ARP poisoning.
To avoid this problem Juan de la Fuente Costa tried to hardcode administrator's MAC address inside firewall's configuration. But this was not a working solution, as there was possible to perform the attack under this scenario too.
Symantec Recommendation:
Symantec has determined that the Symantec Firewall/VPN appliances operate as designed. However, the following procedures can be implemented if a secure internal remote administration is required.
The Symantec Firewall/VPN Appliances can be remotely managed securely using IPSEC technology through the outside WAN ports. Symantec recommends that if ARP poisoning is of concern in your internal environment, you manage the appliance through a gateway-to-gateway VPN tunnel on the model 100/200/200R or through a client-to-gateway VPN tunnel on the model 200R. In addition, administrators can use the second WAN port of the 200/200R as an isolated local management port, thus preventing a rogue internal user from sniffing the directly connected wire.
To protect against ARP attacks requires a combination of techniques and tools. For example, there are tools available in the field that will alert administrators when an ARP request has caused a change in MAC-IP address entry. These are useful for detecting anomalies, however, they often require making trade offs in network management - for example, DHCP must be disabled. Additional protection is sometimes provided natively by operating systems. Certain Microsoft operating systems will detect a duplicate IP address on a LAN (an indication of a possible ARP spoof attack). Others allow you to lock down ARP entries in your ARP table so that once the table is populated; a rogue system is not able to reset the ARP entry to another MAC or IP address. Another alternative is to encrypt all traffic using secured protocols such SSL, SSH, or IPSEC to provide data confidentiality and data integrity for sensitive communication.
|
|
|
|
|
|
|
|
|
|
