[c-nsp] configuring RFC1948 on the ASA 5505
Jerry Kemp
cisco.mail.list at oryx.cc
Thu Jun 5 00:44:43 EDT 2008
Is it possible to configure to configure RFC 1948 sequence number
generation on a Cisco ASA 5505 firewall? A recent nmap port scan shows
TCP sequence prediction to be "Difficulty=0 (Trivial joke)".
I did RTFM both Cisco and did several Yahoo searches, and did not turn
up anything of value.
Below is an (abbreviated) nmap scan sample of an internal port on my ASA.
In case my question is not obvious, I have also included (very bottom)
the RFC 1948 configuration from a standard Unix (Solaris) set up.
TIA for any replies,
Jerry K
--------------------------------------------------------------------
# nmap -v -sT -O 1.1.1.1
Starting Nmap 4.20 ( http://insecure.org ) at 2008-06-04 23:27 CDT
Initiating ARP Ping Scan at 23:27
Scanning 1.1.1.1 [1 port]
Completed ARP Ping Scan at 23:27, 0.20s elapsed (1 total hosts)
Initiating Connect() Scan at 23:27
Scanning 1.1.1.1 (1.1.1.1) [1697 ports]
Completed Connect() Scan at 23:27, 30.77s elapsed (1697 total ports)
Host 1.1.1.1 (1.1.1.1) appears to be up ... good.
Interesting ports on 1.1.1.1 (1.1.1.1):
Not shown: 1694 filtered ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
443/tcp open https
MAC Address: 00:19:7:24:AD:67 (Cisco Systems)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=0 (Trivial joke)
--------------------------------------------------------------------------
# TCP_STRONG_ISS sets the TCP initial sequence number generation parameters.
# Set TCP_STRONG_ISS to be:
# 0 = Old-fashioned sequential initial sequence number generation.
# 1 = Improved sequential generation, with random variance in
increment.
# 2 = RFC 1948 sequence number generation, unique-per-connection-ID.
#
TCP_STRONG_ISS=2
More information about the cisco-nsp
mailing list