[c-nsp] configuring RFC1948 on the ASA 5505

Peter Rathlev peter at rathlev.dk
Thu Jun 5 06:15:58 EDT 2008


Hi Jerry,

I have a 5550 providing "truly random" sequence numbers according to
NMap:

:: [root at einstein ~]# nmap -v -sT -O -p 22,23,443 10.x.y.z
:: 
:: Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-06-05 
:: 12:11 CEST
:: DNS resolution of 1 IPs took 0.00s.
:: Initiating Connect() Scan against 10.x.y.z [3 ports] at 12:11
:: Discovered open port 443/tcp on 10.x.y.z
:: Discovered open port 23/tcp on 10.x.y.z
:: Discovered open port 22/tcp on 10.x.y.z
:: The Connect() Scan took 0.00s to scan 3 total ports.
:: Warning:  OS detection will be MUCH less reliable because we did 
:: not find at least 1 open and 1 closed TCP port
:: For OSScan assuming port 22 is open, 43522 is closed, and neither 
:: are firewalled
:: For OSScan assuming port 22 is open, 36850 is closed, and neither 
:: are firewalled
:: For OSScan assuming port 22 is open, 30796 is closed, and neither 
:: are firewalled
:: Host 10.x.y.z appears to be up ... good.
:: Interesting ports on 10.x.y.z:
:: PORT    STATE SERVICE
:: 22/tcp  open  ssh
:: 23/tcp  open  telnet
:: 443/tcp open  https
:: Device type: router|printer|load balancer
:: Running (JUST GUESSING) : Cisco IOS 12.X (91%), Canon embedded 
:: (85%), Cisco embedded (85%)
:: Aggressive OS guesses: Cisco 2611 router running IOS 12.0(7)T 
:: (91%), Canon iR 2200 printer (85%), Cisco CSS 11501 Content 
:: Services Switch (85%)
:: No exact OS matches for host (test conditions non-ideal).
:: TCP Sequence Prediction: Class=truly random
::                          Difficulty=9999999 (Good luck!)
:: IPID Sequence Generation: Randomized
:: 
:: Nmap finished: 1 IP address (1 host up) scanned in 9.588 seconds
::                Raw packets sent: 50 (4556B) | Rcvd: 37 (1912B)
:: [root at einstein ~]# 

There could be a difference between the 5505 and the 5550, but hopefully
not for something like the devices own TCP stack. What version of ASA
software are you using? The above is tested on 7.2(2) and 7.2(4).

Regards,
Peter


On Wed, 2008-06-04 at 23:44 -0500, Jerry Kemp wrote:
> Is it possible to configure to configure RFC 1948 sequence number 
> generation on a Cisco ASA 5505 firewall?  A recent nmap port scan shows 
> TCP sequence prediction to be "Difficulty=0 (Trivial joke)".
> 
> I did RTFM both Cisco and did several Yahoo searches, and did not turn 
> up anything of value.
> 
> Below is an (abbreviated) nmap scan sample of an internal port on my ASA.
> 
> In case my question is not obvious, I have also included (very bottom) 
> the RFC 1948 configuration from a standard Unix (Solaris) set up.
> 
> TIA for any replies,
> 
> Jerry K
> 
> --------------------------------------------------------------------
> # nmap -v -sT -O 1.1.1.1
> Starting Nmap 4.20 ( http://insecure.org ) at 2008-06-04 23:27 CDT
> Initiating ARP Ping Scan at 23:27
> Scanning 1.1.1.1 [1 port]
> Completed ARP Ping Scan at 23:27, 0.20s elapsed (1 total hosts)
> Initiating Connect() Scan at 23:27
> Scanning 1.1.1.1 (1.1.1.1) [1697 ports]
> Completed Connect() Scan at 23:27, 30.77s elapsed (1697 total ports)
> Host 1.1.1.1 (1.1.1.1) appears to be up ... good.
> Interesting ports on 1.1.1.1 (1.1.1.1):
> Not shown: 1694 filtered ports
> PORT    STATE SERVICE
> 22/tcp  open  ssh
> 23/tcp  open  telnet
> 443/tcp open  https
> MAC Address: 00:19:7:24:AD:67 (Cisco Systems)
> Network Distance: 1 hop
> TCP Sequence Prediction: Difficulty=0 (Trivial joke)
> --------------------------------------------------------------------------
> 
> # TCP_STRONG_ISS sets the TCP initial sequence number generation parameters.
> # Set TCP_STRONG_ISS to be:
> #       0 = Old-fashioned sequential initial sequence number generation.
> #       1 = Improved sequential generation, with random variance in 
> increment.
> #       2 = RFC 1948 sequence number generation, unique-per-connection-ID.
> #
> TCP_STRONG_ISS=2
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list