Overwiew: With FireWall-1 Version 4.0 Checkpoint introduced support for the Lightweight Directory Access Protocol (LDAP) for user authentication. It looks like there's a bug in Checkpoint's ldap code which under certain circumstances can lead to unauthorized access to protected systems behind the firewall. Technical background: A user can authenticate himself at the firewall providing a valid username and password. The firewall acts as a ldap client, validating the credentials by a directory server using the ldap protocol. After successful authentication access will be granted to systems protected by the firewall. In contrast to authentication using the Radius or SecurID protocol, after successful authentication the directory server can supply the firewall with additional ldap attributes for the user like the time and day of a week a user is allowed to login, the source addresses a user can run a client from, or the system behind the firewall a user is allowed to access. This can be done individual for each user. In general I think that's a great idea but it seems Checkpoint made something wrong interpreting the ldap attribute 'fw1allowed-dst' which is supposed to control in detail which protected network object a user can access. It seems this attribute is ignored by the firewall software, granting access to all protected network objects instead. Example: ------ Server 'Foo' | Internet --- FW-1 ---| | ------ Server 'Bar' Supposed there's a user 'Sid' with access only to Server 'Foo', and a second user 'Nancy' with access restricted to Server 'Bar', both controlled by the ldap protocol, using the ldap attribute 'fw1allowed-dst'. The bug will cause that both, Sid and Nancy, will have access to Foo and to Bar. Conclusion: I don't consider it as major bug, but it's serious enough that one can't rely on access control enforced through ldap. I've reported this problem through Checkpoint's support channels two weeks ago, but so far there's no response at all. Attached is the original bug report I've sent to technical support. Olaf -- Olaf Selke, olaf.selke@mediaways.net, voice +49 5241 80-7069 =============================== snip =============================== firewall: Solaris 2.6, V4.0 SP4 [VPN + DES + STRONG] management machine: Solaris 2.6, V4.0 SP4 [VPN + DES + STRONG] Directory Server: Solaris 7, Netscape-Directory/4.0 B98.349.0339 Today we found that FW-1 seems to ignore the ldap attribute 'fw1allowed-dst' completely, granting access to 'any' instead. If that's really the case, it could lead to a breach of security. We successfully coupled a FW-1 V4.0 SP4 with a Netscape Directory Server according CP's documentation. Surprisingly this went very smoothly ;-) In a second step we checked if the FW software really cares about the ldap attributes controlling access in detail, using a client authentication rule for this purpose. It looks like the attributes 'fw1hour-range-from', 'fw1hour-range-to', and 'fw1allowed-src' are interpreted as expected by the firewall, so I think we didn't made some mistake in general. However, from our point of view, in any case the ldap attribute 'fw1allowed-dst' is ignored and silently substituted by 'any'. This means a user with restricted access through ldap attributes has full access after successful authentication.