Siemens Version: 1.2 사용자 설명서
3. Security Analysis
3.2.1 Configuration Files
The configuration tool transfers the configuration data via SSL. Hence,
eavesdropping of the connection and determination of the data is not possible. The
analysis of the configuration files gives only information about the default settings
of the firewall. The rules defined in the configuration file reveal no failures. The files
are very well documented and do not show any logical mistake.
3.2.2 Bridge
The security module provides bridge functionality in order to ease installation and
configuration. The bridge is in learning mode by default where it detects other
network components. This is done in the same manner as a switch works with the
ARP protocol. There is the possibility to switch off the learning mode and to set the
MAC addresses manually. This is possible in the advanced mode only, though.
It is possible to imitate a protected node outside of the protected internal network
with ARP spoofing in order to let the security module send unencrypted data.
However, this attack only works if the firewall allows unprotected IP-communication
between internal and external network (not default setting).
Although the bridge functionality using the learning mode eases the configuration
of the VPN, this function is also the module’s largest weakness. Using ARP
spoofing an attacker in the local network can imitate a protected network such that
the security module sends unencrypted packets to the unprotected network, or he
can do a man-in-the-middle-attack. This is a weakness in principle and not
especially a weak point of the security module, in particular since the default-
settings prevent this attack.
19-Aug-05 escrypt
GmbH
16