From: Rony Romero (romerorony@cantv.net)
Date: Thu Mar 30 2006 - 16:38:05 EST
Hi rick I hope that this can help you
Best regards,
Rony
WebVPN | E-Mail Proxy
This screen lets you configure e-mail proxies for WebVPN. They include
IMAP4S, POP3S, and SMTPS. WebVPN e-mail proxy has requirements in addition
to the configuration parameters on this screen. These include:
a.. Users who access e-mail from both local and remote locations via
e-mail proxy require separate e-mail accounts on their e-mail program for
local and remote access.
b.. When users attempt an e-mail session via e-mail proxy, the e-mail
client establishes a tunnel using the SSL protocol, and then requires that
the user authenticate.
Screen Elements
a.. VPN Name Delimiter -- Use the drop-down menu to select a delimiter
that separates the VPN username from the e-mail username. Users need both
usernames when using Concentrator authentication for e-mail proxy and the
VPN username and e-mail username are different. Users enter both usernames,
separated by the delimiter you configure here, and also the e-mail server
name, when they log in to an e-mail proxy session.
Note Passwords for WebVPN e-mail proxy users cannot contain characters
that are used as delimiters.
b.. Server Delimiter -- Use the drop-down menu to select a delimiter that
separates the username from the name of the e-mail server. It must be
different from the VPN Name Delimiter. Users enter both their username and
server in the username field when they log in to an e-mail proxy session.
For example, using : as the VPN Name Delimiter and @ as the Server
Delimiter, when logging in to an e-mail program via e-mail proxy, the user
would enter their username in the format vpn_name:e-mail_name@server.
c.. E-Mail Protocol -- WebVPN supports three e-mail proxies: POP3S and
IMAP4S for receiving e-mail, and SMPTS for sending e-mail.
Note To use these e-mail proxies, you must also allow these session
types on the appropriate VPN Concentrator interface (Configuration |
Interfaces | Ethernet | WebVPN Tab).
a.. POP3S -- POP3S is one of the e-mail proxies WebVPN supports. By
default the VPN Concentrator listens to port 995, and connection are
automatically allowed to port 995 or to the configured port. The POP3 proxy
allows only SSL connections on that port. After the SSL tunnel establishes,
the POP3 protocol starts, and then authentication occurs.
b.. IMAP4S -- IMAP4S is one of the e-mail proxies WebVPN supports. By
default the VPN Concentrator listens to port 993, and connection are
automatically allowed to port 993 or to the configured port. The IMAP4 proxy
allows only SSL connections on that port. After the SSL tunnel establishes,
the IMAP4 protocol starts, and then authentication occurs.
c.. SMTPS -- SMTPS is one of the e-mail proxies WebVPN supports. By
default the VPN Concentrator listens to port 988, and connection are
automatically allowed to port 988 or to the configured port. The SMTPS proxy
allows only SSL connections on that port. After the SSL tunnel establishes,
the SMTPS protocol starts, and then authentication occurs.
SMTPS is the only one of these e-mail proxies that lets you send e-mail.
d.. VPN Concentrator Port -- Identifies the port on the VPN Concentrator
that each e-mail proxy uses. You can change the port for any or all of the
e-mail proxies. Be aware that the remote PC in a WebVPN connection may be
using different ports for e-mail proxy traffic than the ports you configure
for the VPN Concentrator.
e.. Default E-Mail Server -- Enter the name or IP address of the default
server for the e-mail proxy you are configuring.
f.. Authentication Required -- Each e-mail proxy has several different
method that you can use to authenticate users. You can require them either
singly or in combination, but you must configure at least one authentication
method for an e-mail protocol.
g.. E-Mail Server -- Mail server authentication requires only the user's
e-mail username, server and password. IMAP4S and POP3S both require mail
server authentication; you cannot uncheck these boxes.
h.. Concentrator -- Concentrator authentication authenticates the e-mail
session by using its configured authentication servers. The user presents a
username, server and password. Users must present both the VPN username and
the e-mail username, separated by the VPN Name Delimiter, only if the
usernames are different from each other.
i.. Piggyback HTTPS -- This authentication scheme requires a user to have
already established a WebVPN session. The user presents an e-mail username
only. No password is required. Users must present both the VPN username and
the e-mail username, separated by the VPN Name Delimiter, only if the
usernames are different from each other.
SMPTS e-mail most often uses piggyback authentication because most SMTP
servers do not allow users to log in.
See Piggyback HTTPS and IMAP Sessions below.
j.. Certificate -- Certificate authentication requires that users have a
certificate that the VPN Concentrator can validate during SSL negotiation.
You can use ertificate authentication as the only method of authentication,
for SMTPS proxy. Other e-mail proxies require two authentication methods.
Certificate authentication requires three certificates, all from the same
CA:
a.. A CA certificate on the VPN Concentrator
b.. A CA certificate on the client PC
c.. A Web Browser certificate on the client PC, sometimes called a
Personal certificate or a Web Browser certificate.
E-mail proxy with certificate authentication does not work with Internet
Explorer (IE). It does work with Netscape (Cisco tested using version 7.1),
and with Mozilla (Cisco tested using version 1.2.1).
See How to Request and Install Certificates below.
k.. Apply -- Click to apply your E-mail settings, and to include your
settings in the active configuration. The Manager returns to the
Configuration | Tunneling and Security | WebVPN screen.
l.. Cancel -- Click to discard your settings. The Manager returns to the
Configuration | Tunneling and Security | WebVPN screen.
Piggyback HTTPS and IMAP Sessions
IMAP generates a number of sessions that are not limited by the simultaneous
user count but do count against the number of simultaneous logins allowed
for a username. If the number of IMAP sessions exceeds this maximum and the
WebVPN connection expires, a user cannot subsequently establish a new
connection.
There are several solutions:
a.. The user can close the IMAP application to clear the sessions with the
VPN Concentrator, and then establish a new WebVPN connection.
b.. The administrator can increase the simultaneous logins for IMAP users
(Configuration | User Management | Base Group/Groups/Users | General Tab.
c.. Disable HTTPS/Piggyback authentication for e-mail proxy.
How to Request and Install Certificates
The following steps show you how to request and install certificates. For
complete instructions on enrolling and installing CA certificates, see the
Certificate Management chapter in Volume II: Administration and Monitoring.
1.. If the VPN Concentrator does not already have a CA certificate
installed, install a CA certificate.
a.. The CA must be the same one that you are using to issue the CA and Web
Browser certificates on the client PC.
a.. The certificate must be base-64 encoded.
b.. Use a Netscape or Mozilla browser to install the CA certificate, If
you use IE, the certificate downloads to the IE Crypto Application Program
Interface (CAPI); it must be in the CAPI for the browser you are actually
using.
1.. Open the certificate using the Netscape or Mozilla Certificate Manager
before importing it onto the VPN Concentrator.
2.. In the Downloading Certificates screen, make sure that the CA is
trusted to identify websites and e-mail users (trusting software developers
is optional). Alternatively, when the CA certificate has been loaded onto
the concentrator, check the details of the certificate to ensure these
trusted attributes are enabled.
3.. On the client PC, use a Netscape or Mozilla browser to request a CA
certificate from the same certificate authority.
4.. On the client PC, request a Personal or Web Browser certificate from
the same certificate authority. Complete the fields on the request form as
follows:
a.. The certificate request must be for a Web Browser or Personal
Certificate, not an E-mail Protection Certificate.
E-mail protection certificates are not for SSL connections; they are for
encrypting and sending e-mail. Web Browser certificates protect the e-mail
session over SSL.
b.. Name = account name, for example, JohnDoe.
c.. E-Mail = e-mail address being authenticated, for example,
JohnDoe@myMail.com.
d.. Key strength Cisco tested = 1024; any of the choices should work.
e.. Password is optional, and applies only to the certificate for export
purposes.
5.. When the certificate is generated, choose Install Certificate. In some
cases, the CAs installs it automatically.
6.. To verify that the certificate is installed, use the Netscape
Certificate Management application. The path is Edit > Preferences > Privacy
and Security > Certificates > Manage Certificates > Your Certificates.
7.. On the Configuration | Tunneling and Security | WebVPN | E-Mail Proxy
screen, for Authentication Required, select E-Mail Server and Certificate.
----- Original Message -----
From: "Rick Zhong" <sagiko@gmail.com>
To: <pen-test@securityfocus.com>
Sent: Thursday, March 30, 2006 4:01 AM
Subject: SMTP service on Cisco VPN Concentrator
> Hi,
> I was carrying out a pen-test on a Cisco VPN Concentrator (3000),
> nessus 3.0 scan discovered a number of mail-related ports such as SMTP
> at 988, imaps at 993 and https at 443. I try to telnet to the port
> 988 to verify but cannot get anything even a banner.
>
> Initially i considered this as false positive, but after some search
> on google, it seems Cisco VPN Concentrator do has some smtp proxy at
> port 988 and imaps services. I cannot find any other traces of these
> smtp ports besides the nessus report.
>
> Is there anyone has more information on these smtp proxy services on
> Cisco VPN concentrator (3000)? Any known security issues with these
> services on? Thanks.
>
> regards,
> Rick Zhong
>
> www.sinfosec.org
> www.security.org.sg
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> As attacks through web applications continue to rise, you need to
> proactively
> protect your applications from hackers. Cenzic has the most comprehensive
> solutions to meet your application security penetration testing and
> vulnerability management needs. You have an option to go with a managed
> service (Cenzic ClickToSecure) or an enterprise software (Cenzic
> Hailstorm).
> Download FREE whitepaper on how a managed service can help you:
> http://www.cenzic.com/forms/ec.php?pubid=10025
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request@cenzic.com
> ------------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/forms/ec.php?pubid=10025
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:46 EDT