RE: SGS 5400 firewalls

From: Paul Melson (pmelson@gmail.com)
Date: Mon Mar 13 2006 - 09:56:35 EST


-----Original Message-----
Subject: RE: SGS 5400 firewalls

> You might want to start by looking for TCP port 2456. This is the SSL web
based management
> port. Admin is a good username to start with. Also look for TCP port 22
(i.e. OpenSSH).
>
> Be advised, if the admins are smart, they have added filters to protect
these ports external
> connections. The logging is also very good so whatever you try, they
should notice it.

By default, SGMI (port 2456) is only accessible via the interface that is
designated as the 'Inside' interface as configured via the front panel LED.
Additionally, instead of a traditional SSH connection, these firewalls use a
proprietary service the vendor calls Secure Remote Login that listens on
TCP/423 (not TCP/22). This service relies on both a shared secret for the
SRL service as well as valid firewall admin credentials (so 1 user/pass
pair, plus a shared secret). It requires a custom client that Symantec
provides (a modified TeraTerm Pro) called srlclient8. This service is also
only accessible via the 'Inside' interface by default.

So if this is an external pen test of the firewall, and you can connect to
2456 (should get SSL challenge for cert signed by internal CA) or TCP/423,
these are findings in and of themselves, regardless of whether or not you
can actually authenticate and use these services to gain access to the
device.

PaulM

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:40 EDT