Lisa,
I agree with both you AND your <Firewall> Vendor, however I'll side more
with the vendor on this one, as TCP sequencing is a function of the tcp/ip
stack so it can re-build the packets on their way into the destination. If
there is a flaw in this function as with Micro$ofts implementation that's
not the fault of the FW vendor, nor is it really within the scope of their
work to have to fix it (In fact some firewalls look at TCP sequencing
numbers to detect out of sequence packets as a possible attack).
Though I agree with you, SOMEONE should fix this. In this case Micro$oft,
and that's where the pressure should be applied.
Besides, session hijacking would most likely occur outside your
firewall...
-----Original Message-----
From: Lisa Lorenzin [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 31, 1999 10:03 AM
To: [EMAIL PROTECTED]
Subject: firewalls on NT 4.0 SP4 subject to session hijacking
This is really a followup to Spiff's note on NT 4.0's TCP sequencing
vulnerability... I ran across the same article and checked with our
firewall vendor (one of the major firewalls) to see what level of exposure
this would cause us. (And our customers - we're a VAR for that particular
firewall...) Got the following reply, which I've sanitized -
> -----Original Message-----
> From:
> Sent: Monday, August 30, 1999 4:36 PM
> To: Lisa Lorenzin
> Subject: RE: Voice mail
>
>
> Lisa,
>
> This is one answer I received from our technical services
> group. As I get
> more information I will send it to you.
>
> "A question of <firewall> being vulnerable to a TCP
> Sequencing attack on NT
> was fielded today. The answer to this question is No,
> <firewall> is not
> vulnerable to TCP Sequencing attack. The reason for this is
> because the TCP
> Sequencing attack is NOT an attack. Rather, it is a function
> of the O/S
> creating packets for communications. The problem is that due to the
> predictable nature of the way NT is handling packets, it
> could be easier to
> 'spoof' or 'hijack' a running TCP session between the NT
> machine and another
> machine.
> It is not a function of <firewall> to control these.
> However, it would be
> feasible to limit the amount of exposure to this type of
> session hijacking
> by implementing the use of encryption (IE SecuRemote, HTTPS,
> or SSH for
> telnet)."
Is it just me, or is saying the firewall is not vulnerable to a TCP
sequencing attack because TCP sequencing is not an "attack" spurious
semantics at best and downright misleading at worst? I generally consider
session hijacking an attack - and as far as I know, so do Garfinkel &
Spafford. *wry grin*
Anyway. The upshot is, it looks like at least one major firewall is
wide-open on NT 4.0, and doesn't intend to address the issue, so we're stuck
waiting for Mickeysoft to fix it.
Might want to contact your vendor and see what kind of squirming you get...
Regards,
Lisa
Lisa Lorenzin
InterLan Technologies
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
