I got a call today at work.
One of our VPN users was having trouble getting in. It turns out his password was set wrong, but how had he been getting in prior to that?
He said that it hadn't been prompting him for a username/password.
Hmm - that's weird.
I looked to see who was in the authentication table. He wasn't there, but he was on our network.
(BTW, I'm posting this from home, so don't think this security vulnerability exists from where I'm posting)
What the authentication table did show was that there was a completely different user coming in from 192.168.1.100, which also happened to be his private IP on his home network.
I checked the logs, and that user was definitely different - different public IP address showed during his authentication.
But since they had the same private IP, he was able to just come on in without any authentication at all.
It's small consolation, but users still have to have our VPN policy loaded on their PC - they just don't have to use their password to get in, although any persistent hacker could probably hit upon the right combination of encryption strategies through trial and error and if a legit user was already logged in with that private IP - they're in.
(Of course, they'd still have to hack the password on our servers to be able to do anything).
NetScreen support, as usual, were grossly incompetent. The guy simply refused to listen to what I was telling him.
He insisted on me sending him the client policy file and wouldn't believe me when I told him that was different between the policy files of the 2 users was their identity.
I told him if ANYTHING else were different, it wouldn't work, but he still insisted I send him copies of both of their policy files.
So, I sent him 2 copies of the same file with just the identity changed.
He tried it and said, "I get an authentication prompt, it's working fine".
I told him first of all, you're not coming from a private IP address and secondly there's not already a user authenticated on the system with the same private IP.
He still wasn't getting it.
I had to call up both users (interrupting one of them during dinner) and had them replicate the security flaw before he understood the problem (or at least he pretended to understand).
I'm still waiting for a solution.
I've complained about the incompetence of their Tier 1 support in the past, and all it gets me is an annoying phone call from their incompetent support specialist offering a forced apology.
If their goal is to force people to RTFM before calling, it's misguided. I do RTFM, FWIW, which very often isn't much in many cases, and when I do call, I have a very specific question, which I expect them to be able to answer.
Mgmt is already leaning towards replacing all the NetScreens with Cisco equipment and this will probably be the final nail in the coffin for them.