firewalls on NT 4.0 SP4 subject to session hijacking

Tue, 31 Aug 1999 08:21:50 -0700 

This is really a followup to Spiff's note on NT 4.0's TCP sequencing
vulnerability...  I ran across the same article and checked with our
firewall vendor (one of the major firewalls) to see what level of exposure
this would cause us.  (And our customers - we're a VAR for that particular
firewall...)  Got the following reply, which I've sanitized -

> -----Original Message-----
> From:
> Sent: Monday, August 30, 1999 4:36 PM
> To: Lisa Lorenzin
> Subject: RE: Voice mail
>
>
> Lisa,
>
> This is one answer I received from our technical services
> group.  As I get
> more information I will send it to you.
>
> "A question of <firewall> being vulnerable to a TCP
> Sequencing attack on NT
> was fielded today.  The answer to this question is No,
> <firewall> is not
> vulnerable to TCP Sequencing attack.  The reason for this is
> because the TCP
> Sequencing attack is NOT an attack.  Rather, it is a function
> of the O/S
> creating packets for communications.  The problem is that due to the
> predictable nature of the way NT is handling packets, it
> could be easier to
> 'spoof' or 'hijack' a running TCP session between the NT
> machine and another
> machine.
> It is not a function of <firewall> to control these.
> However, it would be
> feasible to limit the amount of exposure to this type of
> session hijacking
> by implementing the use of encryption (IE SecuRemote, HTTPS,
> or SSH for
> telnet)."

Is it just me, or is saying the firewall is not vulnerable to a TCP
sequencing attack because TCP sequencing is not an "attack" spurious
semantics at best and downright misleading at worst?  I generally consider
session hijacking an attack - and as far as I know, so do Garfinkel &
Spafford. *wry grin*

Anyway.  The upshot is, it looks like at least one major firewall is
wide-open on NT 4.0, and doesn't intend to address the issue, so we're stuck
waiting for Mickeysoft to fix it.
Might want to contact your vendor and see what kind of squirming you get...

                                                                Regards,

                                                                        Lisa

Lisa Lorenzin
InterLan Technologies
[EMAIL PROTECTED]


-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to