[c-nsp] configuring RFC1948 on the ASA 5505

Fred Reimer freimer at ctiusa.com
Thu Jun 5 10:26:58 EDT 2008


It could be that he has random sequence number generation turned off,
possibly because it causes issues with eBGP MD5's.  This can be done in
a NAT statement with the norandomseq keyword, or for all TCP traffic
with the set connection random-sequence-number disable command on a
class in a policy map.

Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev
Sent: Thursday, June 05, 2008 6:16 AM
To: Jerry Kemp
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] configuring RFC1948 on the ASA 5505

Hi Jerry,

I have a 5550 providing "truly random" sequence numbers according to
NMap:

:: [root at einstein ~]# nmap -v -sT -O -p 22,23,443 10.x.y.z
:: 
:: Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-06-05 
:: 12:11 CEST
:: DNS resolution of 1 IPs took 0.00s.
:: Initiating Connect() Scan against 10.x.y.z [3 ports] at 12:11
:: Discovered open port 443/tcp on 10.x.y.z
:: Discovered open port 23/tcp on 10.x.y.z
:: Discovered open port 22/tcp on 10.x.y.z
:: The Connect() Scan took 0.00s to scan 3 total ports.
:: Warning:  OS detection will be MUCH less reliable because we did 
:: not find at least 1 open and 1 closed TCP port
:: For OSScan assuming port 22 is open, 43522 is closed, and neither 
:: are firewalled
:: For OSScan assuming port 22 is open, 36850 is closed, and neither 
:: are firewalled
:: For OSScan assuming port 22 is open, 30796 is closed, and neither 
:: are firewalled
:: Host 10.x.y.z appears to be up ... good.
:: Interesting ports on 10.x.y.z:
:: PORT    STATE SERVICE
:: 22/tcp  open  ssh
:: 23/tcp  open  telnet
:: 443/tcp open  https
:: Device type: router|printer|load balancer
:: Running (JUST GUESSING) : Cisco IOS 12.X (91%), Canon embedded 
:: (85%), Cisco embedded (85%)
:: Aggressive OS guesses: Cisco 2611 router running IOS 12.0(7)T 
:: (91%), Canon iR 2200 printer (85%), Cisco CSS 11501 Content 
:: Services Switch (85%)
:: No exact OS matches for host (test conditions non-ideal).
:: TCP Sequence Prediction: Class=truly random
::                          Difficulty=9999999 (Good luck!)
:: IPID Sequence Generation: Randomized
:: 
:: Nmap finished: 1 IP address (1 host up) scanned in 9.588 seconds
::                Raw packets sent: 50 (4556B) | Rcvd: 37 (1912B)
:: [root at einstein ~]# 

There could be a difference between the 5505 and the 5550, but hopefully
not for something like the devices own TCP stack. What version of ASA
software are you using? The above is tested on 7.2(2) and 7.2(4).

Regards,
Peter


On Wed, 2008-06-04 at 23:44 -0500, Jerry Kemp wrote:
> Is it possible to configure to configure RFC 1948 sequence number 
> generation on a Cisco ASA 5505 firewall?  A recent nmap port scan
shows 
> TCP sequence prediction to be "Difficulty=0 (Trivial joke)".
> 
> I did RTFM both Cisco and did several Yahoo searches, and did not turn

> up anything of value.
> 
> Below is an (abbreviated) nmap scan sample of an internal port on my
ASA.
> 
> In case my question is not obvious, I have also included (very bottom)

> the RFC 1948 configuration from a standard Unix (Solaris) set up.
> 
> TIA for any replies,
> 
> Jerry K
> 
> --------------------------------------------------------------------
> # nmap -v -sT -O 1.1.1.1
> Starting Nmap 4.20 ( http://insecure.org ) at 2008-06-04 23:27 CDT
> Initiating ARP Ping Scan at 23:27
> Scanning 1.1.1.1 [1 port]
> Completed ARP Ping Scan at 23:27, 0.20s elapsed (1 total hosts)
> Initiating Connect() Scan at 23:27
> Scanning 1.1.1.1 (1.1.1.1) [1697 ports]
> Completed Connect() Scan at 23:27, 30.77s elapsed (1697 total ports)
> Host 1.1.1.1 (1.1.1.1) appears to be up ... good.
> Interesting ports on 1.1.1.1 (1.1.1.1):
> Not shown: 1694 filtered ports
> PORT    STATE SERVICE
> 22/tcp  open  ssh
> 23/tcp  open  telnet
> 443/tcp open  https
> MAC Address: 00:19:7:24:AD:67 (Cisco Systems)
> Network Distance: 1 hop
> TCP Sequence Prediction: Difficulty=0 (Trivial joke)
>
------------------------------------------------------------------------
--
> 
> # TCP_STRONG_ISS sets the TCP initial sequence number generation
parameters.
> # Set TCP_STRONG_ISS to be:
> #       0 = Old-fashioned sequential initial sequence number
generation.
> #       1 = Improved sequential generation, with random variance in 
> increment.
> #       2 = RFC 1948 sequence number generation,
unique-per-connection-ID.
> #
> TCP_STRONG_ISS=2
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list