Firewall Wizards mailing list archives
Re: CIsco PIX vulnerable to TCP RST DOS attacks
From: "Paul D. Robertson" <paul () compuwar net>
Date: Wed, 5 May 2004 08:38:42 -0400 (EDT)
On Wed, 5 May 2004, Ahmed, Balal wrote:
If a PIX, or any other firewall/device for that matter, is performing NAPT/Hide NAT/PAT/NAT then as far as the TCP conversation is concerned is it a connection end point or a transit device ?
If it's a proxy, or a termination point for a connection such as a VPN, then it's an endpoint, if it's a filter or router, then it's a transit device. It's possible for stateful filters to "fix" endpoint issues for this bug- but it's not a default, and would have probably had to have been added since the original advisory went out. I'd like to see the firewall vendors who can step up and fix this one- it's a perfect "we can fix this without having folks update every system" thing that firewalls SHOULD fix. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- <Possible follow-ups>
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Paul D. Robertson (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Shimon Silberschlag (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Melson, Paul (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Mikael Olsson (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Chuck Swiger (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Gwendolynn ferch Elydyr (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Henning Brauer (May 06)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- CIsco PIX vulnerable to TCP RST DOS attacks Dario Calia (May 05)