Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: General :: wguard1.htm

WatchGuard Firewall - discovering internal IPs

    WatchGuard Firewall


    Those using WatchGuard Firewall


    Alfonso Lazaro found  following.  He  found a misconfiguration  in
    the default configuration of  Watchguard Firewall.  By  default it
    appends a rule that it accepts pings  from any to any.  So if  our
    firebox is defending our internal network ( 192.168.x.x ... )  and
    our  WG  Firewall  is  a  proxie  with  an external ip in internet
    (  hipotetic  ip  address)  the  atacker can change
    his/her routes like so:

        # route add -net netmask gw

        # ping
        PING ( 56 data bytes
        64 bytes from icmp_seq=0 ttl=251 time=514.0 ms


        # ping
        PING ( 56 data bytes
        64 bytes from icmp_seq=0 ttl=251 time=523.0 ms


    and so on ...  The  atacker can now discovers internal network  ip
    and atack them

        # ping -f


    Solution is easy ...  do not let pings  to internal network.   Not
    to detract from the security implications of allowing echo-request
    inbound unchecked, but in most cases the above would be of  little
    use.   Every  router  between  the  attacker  and  the  WatchGuard
    firewall would need to be configured to point  towards
    the firewall, something that is not going to happen per the  RFC's
    (unless the attacker also compromises each router along the link).
    The above  attack pattern  would only  be useful  in the following

        1) The attacker can source route inbound traffic
        2) The  protected network  is actually  legal, routed  address
        3) The attacker gains access to the wire between the  firewall
           & the Internet router

    If #1 works, shame on you.  If #3 works, you have bigger  problems
    than ICMP through the firewall.

    At WatchGuard preliminary analysis  is that the reported  behavior
    is  not  traceable  to  the  default  configuration files.  In the
    absence of any further information from Sr. Lazaro, it is believed
    that  his   report  of   a  vulnerability   in  Firebox    default
    configuration files is in error.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH