Initial Publication Date: Advisory Status: Advisory Severity: Legacy ID
5 Aug 2002 Closed Medium
Ubizen, a leading Managed Service Solutions Provider, notified Symantec of a problem Ubizen discovered with the manner in which the security module on the Symantec Enterprise Firewall randomizes the TCP Initial Sequence Numbers (ISN) for each new connection. As an optimization feature, the security module reuses the same TCP ISN for a short time after the initial connection is closed. During this brief period, an attacker who could capture the initial TCP handshake of an earlier session from a valid IP could potentially "spoof" a valid one-way conversation from a legitimate IP address
The Symantec Enterprise Firewall is an enterprise hybrid firewall that provides protection at all levels of the TCP/IP stack. The full application inspection technology protects back-end systems from session spoofing and hijacking by randomizing the ISNs for new proxy connection. However, as an optimization feature, the security module reuses ISN numbers for connections coming from the same source IP and TCP port within a limited time window. During this time, an attacker that captured the initial TCP handshake of an earlier session from a valid IP could potentially "spoof" a valid one-way conversation from a legitimate IP address (different than the attacker's address).
The result is that an attacker could hide their identity and could possibly establish a one-way TCP conversation with a back-end system assuming there is a rule established that allows the specific service through the firewall.
Symantec recommends that if you require this service as a part of the functionality of your network, ensure that you install the latest TCP security hotfix that is available through the Symantec Enterprise Support site here. Since TCP/IP is not a secured protocol, Symantec further recommends that you use strong authentication for secure access control and VPN tunnels to protect your sensitive data.
As a best practice, Symantec recommends keeping all operating systems and applications updated with the latest vendor patches. Keeping mission-critical systems updated with all security patches applied reduces risk exposure
Symantec takes the security and proper functionality of our products very seriously. Symantec appreciates the coordination of Kristof Philipsen and Uziben in identifying and providing technical details of areas of concern as well as working closely with Symantec so we could properly address the issue
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.