A UK-based security testing firm, NTA Monitor, on Tuesday said it uncovered separate flaws in Check Point Software Technologies' FireWall-1/VPN-1 that enable intruders to guess and to sniff valid usernames, dramatically easing their ability to break into a network. Check Point quickly dismissed the company's findings as essentially old news and said it provide alternatives that address the issues NTA raises.

When using the Internet Key Exchange (IKE) protocol to authenticate users, FireWall-1 allows remote users to determine whether a username is valid without having to submit the appropriate password at the same time, NTA says. That enables intruders to use a dictionary attack to guess at valid usernames. From there, the intruder can then use the same technique to find at least one valid password that matches a given username, thus gaining access to the network.

A better approach is to require that both the username and password be submitted before indicating whether the logon is successful, NTA says. If either is incorrect, only a generic error message should be sent, so the intruder doesn't know which is erroneous.

Scott Register, product manager for FireWall-1 at Check Point, says such a scheme would open up the VPN to denial of service (DoS) attacks because the gateway would be forced to maintain state for each potential log-in until it is either allowed or denied.

"Someone could send a million packets with different usernames and source IP addresses and the gateway would run out of memory," Register says. "In just a few seconds, you could bring the gateway down."

Register also notes that the vulnerability NTA describes applies only when VPN-1/FireWall-1 is configured to support SecuRemote/SecureClient connections using IKE Aggressive Mode. Because Aggressive Mode has many well-known vulnerabilities -- including the one described by NTA -- it is by default not enabled in Check Point Next Generation 4.1 models. Check Point recommends users disable aggressive mode and use either IKE main mode or Check Point's Hybrid Mode extension, which supports multiple authentication options.

While NTA's note made no mention of aggressive mode in connection with the password-guessing flaw, it did say valid VPN usernames could be sniffed if shared secret authentication is used with IKE aggressive mode. In that case, the username is passed in the first packet, which is sent in the clear because key exchange has not yet been completed and thus no encryption is possible. The flaw can be exploited in the same fashion as the password-guessing problem, with dictionary attacks.

"This ID sniffing issue is to some extent inherent in IKE aggressive mode because the ID must be passed in the clear," NTA notes, suggesting the vulnerability extends well beyond Check Point products. Indeed, Register says the issue applies to IKE in general, not just Check Point specifically.

NTA's bulletin on the Check Point issues can be found at: http://www.nta-monitor.co.uk/news/checkpoint.htm. NTA notes that it alerted the CERT Coordination Center of its findings before going public with them. As of press time, CERT/CC did not have any information about the flaws on its Web sites.