[fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks
From: Dario Calia (dario_calia_at_yahoo.com)
Date: 05/05/04
- Previous message: Vin McLellan: "Re: [fw-wiz] Obtaining a US Govt Security Clearance"
- Next in thread: Melson, Paul: "RE: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Maybe reply: Melson, Paul: "RE: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Maybe reply: Ahmed, Balal: "RE: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Wed, 5 May 2004 11:46:25 -0700 (PDT)
PIX can and has done this as well.
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml
When upgraded the PIX will behave as described in the
following draft RFC.
http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt
Ciao, Dario
>Apparently, Checkpoint can and did:
>
>"By upgrading to Check Point VPN-1/FireWall-1 R55
>HFA-03 or newer, customers
>are able to protect their entire network from this
>vulnerability; thus
>providing additional time and security until other
>systems and software can
>be patched."
>
>http://www.checkpoint.com/techsupport/alerts/tcp_dos.html
>
>Shimon Silberschlag
>+972-3-9351572
>+972-51-207130
>----- Original Message -----
>From: "Paul D. Robertson" <paul@compuwar.net>
>To: "Ahmed, Balal" <balal.ahmed@capgemini.com>
>Cc: <firewall-wizards@honor.icsalabs.com>
>Sent: Wednesday, May 05, 2004 14:38
>Subject: Re: [fw-wiz] CIsco PIX vulnerable to TCP RST
>DOS attacks
>
>
>> On Wed, 5 May 2004, Ahmed, Balal wrote:
>>
>> > If a PIX, or any other firewall/device for that
matter, is performing
>> > NAPT/Hide NAT/PAT/NAT then as far as the TCP
conversation is concerned
is it
>> > a connection end point or a transit device ?
>>
>> If it's a proxy, or a termination point for a
connection such as a VPN,
>> then it's an endpoint, if it's a filter or router,
then it's a transit
>> device.
>>
>> It's possible for stateful filters to "fix"
endpoint issues for this bug-
>> but it's not a default, and would have probably had
to have been added
>> since the original advisory went out. I'd like to
see the firewall
>> vendors who can step up and fix this one- it's a
perfect "we can fix this
>> without having folks update every system" thing
that firewalls SHOULD fix.
>>
>> Paul
>>
--------------------------------------------------------------------------
--- >> Paul D. Robertson "My statements in this message are personal opinions >> paul@compuwar.net which may have no basis whatsoever in fact." >> probertson@trusecure.com Director of Risk Assessment TruSecure Corporation >> _______________________________________________ >> firewall-wizards mailing list >> firewall-wizards@honor.icsalabs.com >> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Vin McLellan: "Re: [fw-wiz] Obtaining a US Govt Security Clearance"
- Next in thread: Melson, Paul: "RE: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Maybe reply: Melson, Paul: "RE: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Maybe reply: Ahmed, Balal: "RE: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
