RE: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 05/05/04

Next message: Mikael Olsson: "Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"

Previous message: Vladimir Parkhaev: "Re: [fw-wiz] Cannot send mail"
Maybe in reply to: Ahmed, Balal: "[fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
Next in thread: Mikael Olsson: "Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Ahmed, Balal" <balal.ahmed@capgemini.com>, <firewall-wizards@honor.icsalabs.com>
Date: Wed, 5 May 2004 08:56:03 -0400

> -----Original Message-----
> Cisco have released an advisory [1] hot on the heels of the
> NISCC TCP RST advisory [2]. Cisco's advice is to upgrade
> images where a network device is a connection endpoint. Question :-
>
> If a PIX, or any other firewall/device for that matter, is
> performing NAPT/Hide NAT/PAT/NAT then as far as the TCP
> conversation is concerned is it a connection end point or a
> transit device ?

The answer I received to this question is that, no, the TCP RST attack
does not affect a PIX performing NAT/PAT functions for hosts with TCP
services. What it DOES affect is PIX devices that can be reached via
HTTPS/SSH/Telnet. For well-designed environments, this type of
connection shouldn't be possible from public networks.

Of course, I have to wonder whether or not a redirected service that
uses one of the TCP fixups (like HTTP) would still be affected, since
they are something along the lines of a proxy. I haven't tested this
and do not know one way or the other. Anybody from Cisco that's close
to this issue want to comment?

PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Mikael Olsson: "Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"

Previous message: Vladimir Parkhaev: "Re: [fw-wiz] Cannot send mail"
Maybe in reply to: Ahmed, Balal: "[fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
Next in thread: Mikael Olsson: "Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: PPTP Clients loose connection to cisco PIX 506E after a while..
... A customer of mine have just gotten a new Cisco Pix 506E, ... I've heard is that they loose connection after a while, ... pdm location 213.179.57.7 255.255.255.255 outside ... timeout xlate 0:05:00 ...
(comp.dcom.sys.cisco)
Re: PIX 501 help please!
... > PIX rebooted. ... (tried straight through and X-Over cables from PIX to modem) ... Checking the LEDs on the pix to ensure connection, ... enter and it should write the configuration to memory. ...
(comp.security.firewalls)
PIX Firewalls cut-through proxy
... Cisco PIX handles HTTP connections? ... Cisco http connection management is as follows: ... In User Service and policy is checked, the PIX Firewall shifts ...
(Security-Basics)
Re: PIX 501 help please!
... hyper terminal console. ... >> PIX rebooted. ... Checking the LEDs on the pix to ensure connection, ... > enter and it should write the configuration to memory. ...
(comp.security.firewalls)
Re: Cisco device traffic / bandwidth requirements
... The max connections is in the PIX data sheets, ... The connection blocking probability on the PIX 6.x software ... might require seeing a few packets to activate. ...
(comp.dcom.sys.cisco)