RE: TCP Intercept

[JGrimshaw () ASAP com]

Well--I tried it with FTP... and it didn't work!

This FTP was over a secure tunnel.  The tunnel was up and running, but FTP 
wouldn't pass through it with TCP Intercept enabled.  More correctly, one 
couldn't even log in to the FTP.  It was as if the server didn't exist.

Cisco's blurb on the matter (on their website) suggests that TCP Intercept 
doesn't know what to do with TCP options that are negotiated at the 
server.  It doesn't know about the options or what to do with them, so it 
doesn't do anything with them.  TCP intercept does not negotiate on any 
level, just a handshake in the middle to "knit" the connection back 
together.  FTP would seem to fall under that category of something that 
requires TCP service negotiation.







"Hagen, Eric" <ehagen () DenverNewspaperAgency com> 
10/09/2003 05:26 PM

To
JGrimshaw () ASAP com
cc
security-basics () securityfocus com
Subject
RE: TCP Intercept






TCP intercept works with all TCP traffic, including FTP.  It intercepts 
TCP
SYN packets and attempts to initiate the connection for the server, later
knitting them together once the connection is successful.  This kicks into
takes the load off the servers in the event of a SYN flood.

There's also the "watch" mode in IOS, that simply watches for TCP SYN
requests that are sent with no SYN-ACK -> ACK following are agressively
terminated by the router in order to prevent server timeouts (sometimes 
over
a minute) from affecting their ability to handle a SYN attack and still 
have
something left over to serve to legitimate services.

Either way, they should not break ANY services that follow the TCP 
protocol
standards as far as I'm aware.  That includes FTP.  The interaction with 
the
router is totally seamless and invisible to the client and server.

It's probably best to only enable it for important servers, reducing the
risk that the router itself becomes bogged down in handling TCP Intercept
operations for non-critical hosts.

I'm curious if there was any information I'm not aware of that would make
you think that TCP Intercept would not work for FTP?   Just curious.

Eric Hagen


-----Original Message-----
From: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com]
Sent: Thursday, October 09, 2003 7:22 AM
Cc: security-basics () securityfocus com
Subject: TCP Intercept


Hi everyone,

I was wondering, is there a way to use TCP Intercept with FTP transfers? I 

am thinking that by the very nature of the beast, it does not.

With that in mind, what other TCP services should one avoid "protecting" 
with TCP Intercept?  What is it best used for?  Cisco's web site is a 
little sketchy.

I would like to use TCP Intercept to block DoS attacks against a public 
range of addresses I oversee.  However, I have concerns that the TCP 
Intercept isn't going to work in all occasions, and would prefer not to be 

kicked out the door when something critical stops working because I 
protected it.

Any ideas? 

Thanks, 

jeff


---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------