RE: CIsco PIX vulnerable to TCP RST DOS attacks

["Melson, Paul" <PMelson () sequoianet com>]

> -----Original Message-----
> Cisco have released an advisory [1] hot on the heels of the 
> NISCC TCP RST advisory [2]. Cisco's advice is to upgrade 
> images where a network device is a connection endpoint. Question :- 
>
> If a PIX, or any other firewall/device for that matter, is 
> performing NAPT/Hide NAT/PAT/NAT then as far as the TCP 
> conversation is concerned is it a connection end point or a 
> transit device ? 

The answer I received to this question is that, no, the TCP RST attack
does not affect a PIX performing NAT/PAT functions for hosts with TCP
services.  What it DOES affect is PIX devices that can be reached via
HTTPS/SSH/Telnet.  For well-designed environments, this type of
connection shouldn't be possible from public networks.  

Of course, I have to wonder whether or not a redirected service that
uses one of the TCP fixups (like HTTP) would still be affected, since
they are something along the lines of a proxy.  I haven't tested this
and do not know one way or the other.  Anybody from Cisco that's close
to this issue want to comment?

PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards