[c-nsp] FW: Cisco Security Response: [Full-disclosure] Cisco
PIX TCP Connection Prevention
Andrew Yourtchenko
ayourtch at cisco.com
Wed Nov 23 06:07:41 EST 2005
> interfaces to higher security level interfaces, TCP Intercept can be
> configured on "STATIC" commands by setting the "emb_limit" to 1. This
> results in the PIX proxying all connection attempts after the first
Couple of things should be taken into account with respect to this
workaround:
1) by setting econn to 1 you inhibit any options other than
MSS. Some folks may get upset.
2) on 7.x - ensure you run 7.0.4 to avoid CSCeh07211 - despite talking
about specific kernel version, it is more generic, and deals with the way
the specific stack handles the retransmitted synack.
If something still does not work on 7.0.4 with respect to intercept -
fire up a TAC case, and drop me an email with the #, please.
I believe setting econn to some reasonably "small" value (like
50 or such for an average single-host setup) would be a more
conservative approach - normal flow of things would not be affected, and
it will allow you to trivially detect, should the attack be taking place.
thanks,
andrew
More information about the cisco-nsp
mailing list