[j-nsp] Default SRX Behaviour

Hahues, Sven shahues at fgcu.edu
Wed Aug 11 10:17:41 EDT 2010 

>From my understanding this will only impact your stateful packet filtering options.  If you disable syn checking, the firewall portion will no longer check if there was an associated syn packet before creating a session in its state table.

Here's the description from Screenos which for all intents and purposes is the same application in Junos:

tcp-syn-check  (description for ScreenOS 6.0 and above)
Checks the TCP SYN bit before creating a session, and refreshes the session after the TCP three-way handshake. If the SYN bit is not set, the security device drops the packet.

If I recall correctly it could allow someone malicious to send packets to/or through the security device without properly establishing a session via the 3 way handshake.

I think I ran into this a while back because I had some asymmetric routing, which was causing packets to be sent back to my security device that did not have an established session.  You could also alternatively see if you increase the session durations on a certain policy and see if that will fix the issue without disabling the syn checking altogether.

Hope that helps,

Sven

 
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Tuesday, August 10, 2010 10:46 PM
To: 'William Jackson'; 'Scott T. Cameron'; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Default SRX Behaviour

I just wanted to respond back on-list about this  .. thank you to everyone who made suggestions on this issue.

The "set security flow tcp-session no-syn-check" resolved our issue as suggested below.

My last question is to understand the "risk" associated to disabling the syn-check.  Does this effect any screen options, intrusion or firewall filters?

Thanks,

Paul


-----Original Message-----
From: William Jackson [mailto:wjackson at sapphire.gi]
Sent: Friday, August 06, 2010 12:20 AM
To: Paul Stewart; Scott T. Cameron; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] Default SRX Behaviour

I am suffering exactly the same symptoms for nearly exactly the same reasons, I have a JTAC case open and they have told me to implement:

	>Set security flow tcp-session no-syn-check

But it doesn't seem to have made a difference :-(

We are running srx240s in a cluster with 10.0R3.10 code.

Best Regards
 
William Jackson


_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list