Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Surprised and Alarmed !! 1

Status
Not open for further replies.
haknwak

haknwak

MIS
Jul 23, 2002
98
0
0
US
As security professionals we take charge of making sure noone can break into our networks. In fact our PIX boxes are often the front line in that defense.

Yet I see many people here posting live IP addies from their devices and networks. That is tantamount to "giving the keys to the kingdom" to everyone on the Internet. I have to say it is extremely dangerous and very poor security practice to EVER post your public IP info anywhere.

It only takes a few minutes to copy/paste a config or syslog entry into notepad and replace IP addies with text - like MY.IP.NET.123 .

The time spent doing this up front will be dwarfed by the time spent repairing the results of a break-in by someone who found out too much about you on a public discussion board.

There's another issue I'd like to mention as well - it has to do with posting your config and in particular the scrambled output of an encrypted password.

Lets say tour config said this:

"enable password gY76%(jU/eQcfFX7Y3^fFX1s1k encrypted"

and you pasted it up here

An unscrupulous person could easily reverse engineer that string into clear text and break into your PIX.

In fact, the output of a sh conf, including the hashed passwords as shown above, will paste right back into the PIX and result in the same clear text password as before.

Give away a clear text set of passwords to your public IP and Vois Lais!! Instant break-in

Does that tell you something about being careful here? Always take the time to replace any public IP address info to something text, even do your private network, and always replace your password info with all asterisks or even remove it from what you paste up here.

Best regards to all

haknwak

ps - the name has nothing to do with my purpose in life - I used to use that back in the 14.4 modem BBS days and it sort of stuck.
 
I think that it is true, that it is good practice not to post your exact configs, but I would like to start a discussion on the realities behind this information being public. What do some of you think? Here are some points that poped into my head:

1. If you have you password listed, it can be decrypted easily, and there is a good chance that it is used for some of your other systems. Question is, with the restrictions of who can telnet to the PIX, is the posting of the passwords the problem, or the practice of reusing passwords on multiple machines and allowing large groups of IP addresses to be able to telnet into the box? If you have telnet access, it would not be too hard to burte force your way in by writing a little proggie in VB and feeding it a dictionary or two. (I still think you shouldn't post you encrypted password, but I am attempting to get beneath the surface of this one.)

2. IP addresses are publicly avalible, and information like web and mail server addresses are easy to find out as well (list the DNS zone) and it does not take a person very experienced with firewalls to figure out what ports would be open to let these systems work. If the NIQ (network in question) has ICMP enabled, then you could map out a rather large portion of the firewall config.

For now I am leaving out the practice of reading syslogs and IDS, as then do not always prevent so much as alert, and in small shops, it might not be financially feasible to get more robust systems in place that dynamically block communication. Again, I agree with the above post for all practical purposes, but I would like some other views or angles...
 
Tierss - sorry to post again but - this is another angle to my earlier post.

1) Both practices are equally dangerous IMO. Both break some of the fundamental security rules.

2)Anyone who posts such info has obviously never been part of or witnesses to a break-in and the havock it can cause. Your company could lose everything to law suits from clients who would rightfully claim you endangered their data.

Anybody here wanna post up their personal bank accounts and PINS?

How about their Bank address, safe deposit number and a nice scan of their safe deposit key, a recent photo of themselves and their signature?

Maybe their home address, the make and serial number of their lock, and the code for their home security system?

How about the license plate and VIN number of their vehicle?

How about a nice scan of your drivers license front and back.

Or maybe your credit card number, expiration date, signature and the security code?

Any of these are the personal equivalent of posting your full config of any public facing corporate network device.
"If you lived here, you'd be home by now!"

George Carlin
 
If somebody on this form really wanted to, they could trace you back to your company and begin messing with it anyways...

Hiding the IP's isn't all that big a deal (they are public anyways). However, definately hide the encrypted password.

2;-)
 
hardly baddos - not from tek-tips - I have never posted from a company IP addie, did not use a company e-mail address, have never posted anything about my company.

And yes the company IP addresses themselves are public - but how they are used is private and it will stay that way

Thats not a challenge, just fact. They would need to perform much more devious and illegal actions to attain information about my company - actions that would unto themselves land them in jail - before they could start identifying or any cracking of company assets. "If you lived here, you'd be home by now!"

George Carlin
 
I don't see the problem with displaying your public ip addresses, if someone knows your company name, it's a matter of seconds before he has your entire scope of public addresses, and know easily knows what ports are open on your firewall, and can begin working on those.

It's just a matter of whois/dns/portscans....not difficult.
The password however i completely agree, don't share either the hash or the real one (duh), however, you would always apply access restrictions to both ssh and telnet on a firewall.

My 2 Cents
 
dopehead - suit yourself - and I hope you don't shootyourself in the foot.

We're talking network security 101 here - the fundamentals - gradeschool level security.

If anyone is too lazy to protect themselves to protect themselves, they deserve whatever may happen to them as a result. "If you lived here, you'd be home by now!"

George Carlin
 
haknwak... Just because someone doesn't follow your example, doesn't mean their going to shoot themselves in the foot.

If you want to follow your thery here, posting any of your firewall config is jepordizing security 101.

By not posting your password, you are ensuring that someone won't get into your PIX granted they can't crack or exploit the PIX. Any port scanner can see what your PIX's access-lists are allowing, as well as what OS the hosts are running.

-Bad Dos
 
LOL!! Bad Dos - you missed the point!!

/rant

Fact of the matter is - Without real information such as live IP addies, password hashes, domain names etc, the info in a configuration is useless to a would-be attacker.

but

Given the above information, a would-be attacker can eliminate all the groundwork and go straight to work. In fact, with a complete config they have enough to start running focussed exploits.

Let's talk SSH, VPN, AAA etc. With a complete config they can begin exploiting those services as well. And, as I assume you know, compromise of an SSH tunnel is complete access to all resources behind it. Compromise of AAA or other authentication databases is complete access to everything they govern.

Sure, they can scan your network but Why give it away???

Ever read about exploits and attack methods? I'll bet not - else you never would have made such an uninformed statement.

I'll offer up a few resources I regularly read - Poke around and visit regularly - you'll learn lots and lots.

In no particular order -

Der-Keiler - List of Lists
Firewall Wizards
WhiteHat

I've said all I need to say here. It's all detailed in my FAQ at


/end_rant "If you lived here, you'd be home by now!"

George Carlin
 
Whatever dude. Your basically asking poeple not to post to the firewall forum. How can people struggling with their firewall get help if the people helping can't see what their configuration is.
 
bad dos - did you even bother to read my FAQ - or any of the other resources I posted? Probably not. You just sittin there complaining.

Now go ahead and badmouth me - I been there done that. I offered you tools and resources - use them or not. It doesn't matter to me. "If you lived here, you'd be home by now!"

George Carlin
 
I was rebudding your post on how people shouldn't post their configuration files. I haven't read your FAQ's or other links, since I was talking about this post.
 
okay baddos - but never, nowhere, did I say not to post your configuration. Maybe not your raw config or not the entire config.

You're right - one could not seek help without showing their configuration.

Now, let's get on with getting help and helping ohters.

Peace "If you lived here, you'd be home by now!"

George Carlin
 
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
146
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
120
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
93
Nitta84
Nitta84
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
42
ITSUPPORTIT
ITSUPPORTIT
texwiz
  • Locked
  • Question
need some help to properly set up, segregate and secure a network with an ASA 5505
Replies
2
Views
57
texwiz
texwiz

Part and Inventory Search

Sponsor

Back
Top