[c-nsp] configuring RFC1948 on the ASA 5505

Fred Reimer freimer at ctiusa.com
Mon Jun 9 08:11:41 EDT 2008


Oh, well that changes things.  I don't mean to make excuses for Cisco,
but the only TCP sessions TO the ASA should be from specific hosts or
segments that are considered "safe" or "clean" such as a management
subnet.  In all likelihood, if your management stations are compromised
you're screwed anyway, as they most certainly have the credentials and
access rights to manage any of your network devices.

If access into your ASA is wide-open, I'd suggest that you have more
serious, policy based, issues.

Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev
Sent: Monday, June 09, 2008 4:57 AM
To: Luan M Nguyen
Cc: cisco-nsp
Subject: Re: [c-nsp] configuring RFC1948 on the ASA 5505

On Sat, 2008-06-07 at 22:58 -0400, Luan M Nguyen wrote:
> I wonder if you do this:
> class-map tcp_traffic
>  match any
> policy-map global_policy
> class tcp_traffic
>   set connection random-sequence-number disable
>  
> Would you get TCP Sequence Prediction: Difficulty=0 (Trivial joke)?

Well, I tried that now, but it doesn't change the result. The above is
about randomizing TCP sequence numbers for connections passing _through_
the ASA. It doesn't change anything for connections with the ASA as one
endpoint.

Regards,
Peter


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list