Firewall Wizards mailing list archives
RE: CIsco PIX vulnerable to TCP RST DOS attacks
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Wed, 5 May 2004 08:56:03 -0400
-----Original Message----- Cisco have released an advisory [1] hot on the heels of the NISCC TCP RST advisory [2]. Cisco's advice is to upgrade images where a network device is a connection endpoint. Question :- If a PIX, or any other firewall/device for that matter, is performing NAPT/Hide NAT/PAT/NAT then as far as the TCP conversation is concerned is it a connection end point or a transit device ?
The answer I received to this question is that, no, the TCP RST attack does not affect a PIX performing NAT/PAT functions for hosts with TCP services. What it DOES affect is PIX devices that can be reached via HTTPS/SSH/Telnet. For well-designed environments, this type of connection shouldn't be possible from public networks. Of course, I have to wonder whether or not a redirected service that uses one of the TCP fixups (like HTTP) would still be affected, since they are something along the lines of a proxy. I haven't tested this and do not know one way or the other. Anybody from Cisco that's close to this issue want to comment? PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- <Possible follow-ups>
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Paul D. Robertson (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Shimon Silberschlag (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Melson, Paul (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Mikael Olsson (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Chuck Swiger (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Gwendolynn ferch Elydyr (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Henning Brauer (May 06)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- CIsco PIX vulnerable to TCP RST DOS attacks Dario Calia (May 05)