[fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks

From: Dario Calia (dario_calia_at_yahoo.com)
Date: 05/05/04

  • Next message: Ionut Boldizsar: "Re: [fw-wiz] IPtables + PCAnywhere"
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 5 May 2004 11:46:25 -0700 (PDT)

    PIX can and has done this as well.

    When upgraded the PIX will behave as described in the
    following draft RFC.

    Ciao, Dario

    >Apparently, Checkpoint can and did:
    >"By upgrading to Check Point VPN-1/FireWall-1 R55
    >HFA-03 or newer, customers
    >are able to protect their entire network from this
    >vulnerability; thus
    >providing additional time and security until other
    >systems and software can
    >be patched."
    >Shimon Silberschlag


    >----- Original Message -----
    >From: "Paul D. Robertson" <paul@compuwar.net>
    >To: "Ahmed, Balal" <balal.ahmed@capgemini.com>
    >Cc: <firewall-wizards@honor.icsalabs.com>
    >Sent: Wednesday, May 05, 2004 14:38
    >Subject: Re: [fw-wiz] CIsco PIX vulnerable to TCP RST
    >DOS attacks
    >> On Wed, 5 May 2004, Ahmed, Balal wrote:
    >> > If a PIX, or any other firewall/device for that
    matter, is performing
    >> > NAPT/Hide NAT/PAT/NAT then as far as the TCP
    conversation is concerned
    is it
    >> > a connection end point or a transit device ?
    >> If it's a proxy, or a termination point for a
    connection such as a VPN,
    >> then it's an endpoint, if it's a filter or router,
    then it's a transit
    >> device.
    >> It's possible for stateful filters to "fix"
    endpoint issues for this bug-
    >> but it's not a default, and would have probably had
    to have been added
    >> since the original advisory went out. I'd like to
    see the firewall
    >> vendors who can step up and fix this one- it's a
    perfect "we can fix this
    >> without having folks update every system" thing
    that firewalls SHOULD fix.
    >> Paul

    >> Paul D. Robertson      "My statements in this
    message are personal
    >> paul@compuwar.net       which may have no basis
    whatsoever in fact."
    >> probertson@trusecure.com Director of Risk
    Assessment TruSecure Corporation
    >> _______________________________________________
    >> firewall-wizards mailing list
    >> firewall-wizards@honor.icsalabs.com
    Do you Yahoo!?
    Win a $20,000 Career Makeover at Yahoo! HotJobs  
    firewall-wizards mailing list

  • Next message: Ionut Boldizsar: "Re: [fw-wiz] IPtables + PCAnywhere"

    Relevant Pages

    • Re: Crazy Quilt
      ... there are a few online free pix places you can use. ... there is also picturetrails.com and yahoo photos too. ... stitches, all simple ones, then mix and match them and you'll have enough ...
    • Re: DNS, SMTP, AOL, Yahoo
      ... PIX, but it may require an upgrade before you can make that settings change ... is not updated to the latest code and can't fix the code. ... But, again, I don't know of any lost functionality at this point. ... >> Charles Palmer ...
    • Re: PIX501 - DES or 3DES?
      ... Before you buy the PIX, what kind of connections are you trying to support? ... Specializing in Wired and Wireless Networks ... "Paul Hutchings" wrote in message ... > want to use standard DES? ...
    • PIX 501 obtaining an IP address
      ... I am a novice user trying to fix the firewall in my office. ... I see an interface called 'console' in the PIX box. ...
    • Why am I a t**t? PIX related incident!
      ... I am officialy punishing myself by posting this message... ... If this wasn't enough I decided to relod the PIX when it warned ... Now I can't get into my network and fix my errors! ... boss - everybody has a boss! ...