A somewhat common configuration of Cisco PIX firewalls may permit a window of opportunity in which an intruder can bypass the firewall. This problem was first publicly described in July, 1998.
Cisco PIX firewalls protecting servers which offer service to the internet-at-large are generally configured to provide a "static" NAT mapping to the servers. "Conduits" are specified, allowing inbound traffic to specific services on specific ports.
Cisco described this problem in July, 1998, in a Cisco Tech Note. Quoting from that document,
If a PIX firewall is configured to allow "established" connections, an intruder who can establish a connection to any port on a machine behind the firewall can, for at least a few minutes, establish a connection to ANY port on that machine, thus defeating the purpose of the firewall in the first place. Further quoting from the Cisco Tech Note:
Our thanks to Cameron MacKinnon who reported this vulnerability to us, and to Cisco, for the information contained in their Tech Note.
This document was written by Shawn V Hernan.
|Date First Published:||2002-01-04|
|Date Last Updated:||2002-01-04 00:55 UTC|