Firewall Wizards mailing list archives
Re: CIsco PIX vulnerable to TCP RST DOS attacks
From: "Shimon Silberschlag" <shimons () bll co il>
Date: Wed, 5 May 2004 18:05:38 +0200
Apparently, Checkpoint can and did: "By upgrading to Check Point VPN-1/FireWall-1 R55 HFA-03 or newer, customers are able to protect their entire network from this vulnerability; thus providing additional time and security until other systems and software can be patched." http://www.checkpoint.com/techsupport/alerts/tcp_dos.html Shimon Silberschlag +972-3-9351572 +972-51-207130 ----- Original Message ----- From: "Paul D. Robertson" <paul () compuwar net> To: "Ahmed, Balal" <balal.ahmed () capgemini com> Cc: <firewall-wizards () honor icsalabs com> Sent: Wednesday, May 05, 2004 14:38 Subject: Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks
On Wed, 5 May 2004, Ahmed, Balal wrote:If a PIX, or any other firewall/device for that matter, is performing NAPT/Hide NAT/PAT/NAT then as far as the TCP conversation is concerned
is it
a connection end point or a transit device ?If it's a proxy, or a termination point for a connection such as a VPN, then it's an endpoint, if it's a filter or router, then it's a transit device. It's possible for stateful filters to "fix" endpoint issues for this bug- but it's not a default, and would have probably had to have been added since the original advisory went out. I'd like to see the firewall vendors who can step up and fix this one- it's a perfect "we can fix this without having folks update every system" thing that firewalls SHOULD fix. Paul --------------------------------------------------------------------------
---
Paul D. Robertson "My statements in this message are personal
opinions
paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- <Possible follow-ups>
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Paul D. Robertson (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Shimon Silberschlag (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Melson, Paul (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Mikael Olsson (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Chuck Swiger (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Gwendolynn ferch Elydyr (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Henning Brauer (May 06)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- CIsco PIX vulnerable to TCP RST DOS attacks Dario Calia (May 05)