-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: Juniper Networks NetScreen Advisory 5212
Date: 22 August 2005
Version: 1.0


Impact:
   Juniper Networks IPSec IKE VPN Username Enumeration Vulnerability


Affected Products:
   All Juniper Networks products implementing IKE aggressive mode


Unaffected Products:
    All other Juniper Networks products including IVE SSL-VPN platforms


Risk: Low


Summary:
   Remote attackers could determine valid VPN usernames when VPN endpoint is
configured to accept IKE aggressive Mode authentication.


Details:
   Aggressive Mode IKE authentication is insecure by design. When configured
in this mode, user identification is not concealed and passes unencrypted on
the wire. In addition to this shortcoming Aggressive mode does not generate
server reply for invalid users thus allowing for user enumeration. This
vulnerability is inherent to the way in which the industry standard IPSec IKE
version 1 protocol functions.


Recommended Actions:
   Customers have a number of choices to address the issue:

Option 1:

Enforce secure practices with regards to VPN parameter selection, and
specifically the following:

a. Username identity: Do not use easily guessable usernames that could
facilitate dictionary attacks. ie "ad879s8dv9sdu9a87s" is more secure than
"jdoh".

b. Preshared key: Do not use easily guessable passwords that could facilitate
dictionary attacks. ie "sd5563#3.4553skrDqw" is more secure than "john".

c. Proxy ID: The destination network address should be as specific as possible.
Option 2:

Use "Main Mode" with Certificates issued by a Certificate Authority, rather
than "Aggressive Mode" with Pre-shared Keys. Note while this mode is more
secure, it does require additional planning and resources to implement.

The following resources can be referenced when configuring Main Mode
Certificate based VPN tunnels.

a. Step-by-step list of instructions can be found at:

   http://5xt.support.netscreen.safeharbor.com/knowbase/root/public/ns6228.htm

b. Additional documentation can be found at:

   http://www.juniper.net/techpubs/software/screenos/screenos5x/ce_v5_5_0.pdf

   Refer to page 16 in the above document.



If you wish to verify the validity of this Security Advisory, the public
PGP key can be accessed at:
http://www.juniper.net/support/security/



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2424)

iQA/AwUBQwpnbHyFA3AaRDDcEQI/IACghgsO+G92EanZoNwpTAM+5jR59A0AoI2l
WdoLFv+cLHIjCx43JRlUud4g
=uzTH
-----END PGP SIGNATURE-----