COMMAND

    Raptor

SYSTEMS AFFECTED

    Raptor 6.5

PROBLEM

    Lysel  Christian  Emre  found  following.   The Raptor firewall is
    vulnerability for  forwarding http  request on  other port numbers
    than 80, if a rule allows  http traffic.  Redirect rules does  not
    affect this problem.

    When an extern  or internal client,  configures itself to  use the
    nearest interface as  proxy, it's possible  to access other  ports
    that 80 on the target host.

    Only the  http protocol  is allowed  and only  to a  range of  TCP
    ports: TCP, 79-99 and TCP, 200-65535.

    If a port outside this range is targeted, an Alert will be issued.

    An example of what is vulnerability could be used for:
        Setting a Raptor  firewall up, allowing  Universe to access  a
        local  web  server  (host:  webserver),  listening  on port 80
        (normal  website)  and  2000  (admin  site).   This would give
        external  users  access  to  the  admin site listening on port
        2000,  if  the  client  is  configured  to  use  the  external
        interface as a  proxy server (for  lynx: "export http_proxy  =
        http://external-interface:80/ ; lynx http://webserver:2000/").

    This works  not only  for external  users, but  also for  internal
    users.  Testing of the Secure Socket Layer has not been performed.

SOLUTION

    1. Use httpd.noproxy in the affected rule.
    2. Downgrade to version 6.0.2
    3. Apply hotfix SG6500-20000920-00 and SG6500-20001121-00,

        ftp://ftp.axent.com/pub/RaptorFirewall/Patches/6.50/Internal/http-int.zip

    Hot Fix SG6500-20000920-00 9/20/2000
    =====================================
    If client uses firewall as proxy, firewall will forward request to
    ports other  than 80  on server.  this vulnerability  is fixed  by
    closing  all  ports  for  proxy  except  80  and port specified by
    httpd.allow_proxy_to_port_xxx=1.

    Hot Fix SG6500-20001121-00 11/21/2000
    =====================================
    This      hotfix      removes      the      implementation      of
    httpd.allow_proxy_to_port_xxx.    Without   this   implementation,
    firewall could be used as  proxy to access (inbound and  outbound)
    http ports other than 80.

    Workaround:
    1. Disable the http proxy, and  use the TCP proxy.  But  this will
       introduce other security concerns.
    2. Disable other listeners at the webserver.

    The patch can be downloaded from (for the international version):

        ftp://ftp.axent.com/pub/RaptorFirewall/International/Patches/NT6.5/

    If  you're  using  service  redirection  on the Raptor system (for
    example, for connections  to your Web  server) and you  don't want
    to allow users connecting through the Raptor system to be able  to
    use it as a proxy, create a Rule and enter the following into  the
    Advanced Services tab:

        http.noproxy

    This provides you  with more security  protection, in addition  to
    the added flexibility (vs. a packet filter or stateful  inspection
    product)  since  it  eliminates  the  need for completely shutting
    down the proxy capability of your internal Web servers.

    Additionally,  in  an  effort  to  provide  the  highest  level of
    managability and security to our customers, Raptor will  introduce
    an  enhancement  to  their  Management  Console  (GUI) whereby the
    HTTP.NOPROXY functionality will be permanently exposed.  They also
    intend to change the default to disable the HTTP proxy  capability
    on all external interfaces, and  leave it enabled on all  internal
    interfaces.   This will  provide your  security administrator  the
    option to manage the default behavior as desired while  defaulting
    to a more secure initial state "out-of-the-box".