[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Nokia IP sequence number and IP ID
John Madden wrote:
>
> Hello,
>
> I ran a vulnerability scan againt a clients FW
> (CheckPoint 4.1 SP6 on Nokia 3.5fcs7) The fingerprint
> of the Nokia was identified as IPSO 3.1-3.6 and it
> reported that the IP ID used non-random numbers
Who cares? Predictable IP IDs have a minute security impact. If your
firewall is not used at all, someone might be able to use your
firewall's IP address to stealth scan a third party.
1) If your firewall passes any amount of traffic, it is useless for
this.
b) Who the hell bothers to do stealth scans? The kiddies just use
sacrificial 0wnd b0x3n and slam away with brute force scans that
walk over the whole frickin' Internet.
> and
> that the TCP/IP sequence numbers were also
> predictable.
That might be a problem. I'm not sure what ISN algorithm Nokia boxes
use. However, scanning tools have been known to report false positives
for these.
> As anybody else seen this ?
>
> To double check I ran a NMAP scan and it gaves me a
> "Class=random positive increments" but it also gives
> me the uptime of the machine. How does it accomplish
> this with only port 264 and 500 open ?
TCP options. Specficially the TCP timestamp option. TCP segments are
timestamped, and it just so happens that for many operating systems,
the counter is global and starts from zero when the machine is booted.
> Is there a fix for this ? Is it fix in IPSO 3.6fcs4 ?
Can't tell you if Nokia's made changes in these, but I believe the
sysctl variable,
net.inet.tcp.rfc1323
Can disable timestamping all together. I personally can't recommend
that. I can't tell you if the tiny information leak is worse than the
tiny potential of a performance hit.
As for a real fix for all of these, Nokia would have to build it into the
kernel. IPSO is based on FreeBSD version *mumble-mumble*, IIRC. I know
FreeBSD has a compile-time option to do "random" IP IDs, and I know the
current ISN generator is quite strong. I know patches exist to mess with
the TCP timestamps, but I can't recall how thorough any are. (You can use
a global counter but start at a random value at boot, but someone can
still tell if a system has been rebooted recently by seeing a discontinuity
in the timestamp between two probes. The "right way" is to have a new
counter starting at a random value for every TCP connection, but that
consumes additional per-connection resources and may actually hurt your
performance more than it helps your security. And that's besides not being
completely trivial to implement.)
None of that helps you directly, but it should make it easier for Nokia to
add the features if people ask for them.
--
Crist J. Clark [email protected]
Globalstar CommunicationsThe information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this e-mail in error, please contact [email protected]
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================