<<< Date Index >>>     <<< Thread Index >>>

Re: Potential Security Flaw in Symantec Gateway Security 360R



In-Reply-To: <BCEBFFBB.ED1%devnull@xxxxxxx>

  I have tested this thoughrouly and reproduced the symptoms of the reported 
issue. When Enforce VPN is enabled for internal wireless traffic on the 
appliance something interesting happens. The appliance changes the virtual lan 
mac addresss to that of the wireless nic installed on the appliance. This can 
cause some confusing results.

Explanation:
The firmware loads the mac address of the firewall appliance/vpn gateway 
assigned to the virtual interface on the lan side. When either using wireless 
or connected to the internal lan ports of the 360 that mac address is cached by 
the clients/servers on the lan. A unique feature of the SGS 360 appliance is 
that instead of using WEP you can secure your wireless connection by using 
Symantec VPN client which terminates at the appliance. In this manner all 
traffic from the wireless client uses ipsec through the vpn tunnel to the lan 
instead of WEP. To accomplish this you must selct "Enforce VPN Tunnels/Disallow 
IPSec pass thru" or "Enforce VPN Tunnels/Allow IPSec pass thru" setting which 
enforces the vpn traffic to the appliance to the lan. 

Heres what happens next:
When  "Enforce VPN Tunnels/Disallow IPSec pass thru" or "Enforce VPN
>Tunnels/Allow IPSec pass thru" setting is saved, the mac address of the 
>wireless card now binds its mac address to the virtual interface instead of 
>the original lan mac address.( it actually assumes the mac of the wireless 
>nic) "The mac address on the lan interface is now that of the wireless" Since 
>the clients/servers on the lan and the wireleless clients already have the 
>original mac address of the vitual interface cached in the ARP table, they are 
>still attached the lan segment, until they are rebooted, the ARP cache 
>cleared, or the ARP table times out in approximately 10 minutes. Since all 
>traffic should now only be allowed to the lan when the VPN internal tunnel is 
>connected,the observation that you can still ping the lan due to the arp cache 
>not being cleared, one could conclude that  "Enforce VPN Tunnels/Disallow 
>IPSec pass thru" or "Enforce VPN>Tunnels/Allow IPSec pass thru" settings are 
>not working.

Test results:
The fact is that enforcing the vpn tunnels does work in the tests but that the 
appliance does not send out a gratuitous ARP to clear the clients arp cache. 
Therefore it appears that even though the enforcment of the VPN is enabled, for 
several minutes you can still ping the lan. WHEN THE CACHE IS CLEARED YOU CAN 
ONLY PASS TRAFFIC TO THE LAN THROUGH THE VPN TUNNEL as it should. Reason being 
the clients/servers now have the mac address of the wireless card cached in the 
arp table. So unless you pass traffic through the connected VPN you can not get 
to the lan segment, which does work. This was repeated in tests many times 
successfully.

Conclusion:
This is more of a design issue than anything else, and I am sure it can be 
corrected by changeing the firmware to send gratuitous arps on the lan when the 
wireless mac address is bound to the virtual interface, or similar code change
 


RE:
>Has anyone experienced this problem? Can anyone reproduce it?
>