SYMSA1016

Symantec Enterprise Firewall TCP Initial Sequence Number Randomization

Last Updated August 05, 2002
Initial Publication Date August 05, 2002
  • Status: Closed
  • Severity: Medium
  • CVSS Base Score:

Ubizen, a leading Managed Service Solutions Provider, notified Symantec of a problem Ubizen discovered with the manner in which the security module on the Symantec Enterprise Firewall randomizes the TCP Initial Sequence Numbers (ISN) for each new connection. As an optimization feature, the security module reuses the same TCP ISN for a short time after the initial connection is closed. During this brief period, an attacker who could capture the initial TCP handshake of an earlier session from a valid IP could potentially "spoof" a valid one-way conversation from a legitimate IP address

Components Affected
Raptor Firewall 6.5 (Windows NT)
Raptor Firewall V6.5.3 (Solaris)
Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
Symantec Enterprise Firewall V7.0 (Solaris)
Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
VelociRaptor Model 500/700/1000
VelociRaptor Model 1100/1200/1300
Symantec Gateway Security 5110/5200/5300

Description
The Symantec Enterprise Firewall is an enterprise hybrid firewall that provides protection at all levels of the TCP/IP stack. The full application inspection technology protects back-end systems from session spoofing and hijacking by randomizing the ISNs for new proxy connection. However, as an optimization feature, the security module reuses ISN numbers for connections coming from the same source IP and TCP port within a limited time window. During this time, an attacker that captured the initial TCP handshake of an earlier session from a valid IP could potentially "spoof" a valid one-way conversation from a legitimate IP address (different than the attacker's address).

The result is that an attacker could hide their identity and could possibly establish a one-way TCP conversation with a back-end system assuming there is a rule established that allows the specific service through the firewall.

Symantec Response
Symantec recommends that if you require this service as a part of the functionality of your network, ensure that you install the latest TCP security hotfix that is available through the Symantec Enterprise Support site here. Since TCP/IP is not a secured protocol, Symantec further recommends that you use strong authentication for secure access control and VPN tunnels to protect your sensitive data.

As a best practice, Symantec recommends keeping all operating systems and applications updated with the latest vendor patches. Keeping mission-critical systems updated with all security patches applied reduces risk exposure

Symantec takes the security and proper functionality of our products very seriously. Symantec appreciates the coordination of Kristof Philipsen and Uziben in identifying and providing technical details of areas of concern as well as working closely with Symantec so we could properly address the issue

SYM02-012

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation