The Borderware Firewall predictable initial TCP sequence numbers issue has resulted in quite a few comments and sub-threads both in the list and in private Emails to my mailbox. This message summarises the different threads: 1. Borderware v4 and v5 vulnerable The reports I've had back from people using the testing tool indicate that both version 4 and version 5 of Borderware are vulnerable to this issue. I've not had any reports of earlier versions (was there ever a Borderware v3 or earlier?). 2. Other OS'es vulnerable to this issue Many people pointed out that HP-UX 9.x and 10.x produce predictable sequence numbers by default, although both versions can be easily changed to pseudo-random sequences (I wonder why HP don't make this the default setting? Does it have a significant performance hit?). There has also been lots of comment about NT 4's time-based sequence numbers which increment once per millisecond. The general feeling here seems to be that, even though this sequence is harder to predict than the "64k" sequence seen on Borderware & HP-UX, it is possible to do so. I've had a few packet-trace examples demonstrating this. I have also observed the "64k" sequence on old versions of AIX and SCO UNIX. I'm sure that there are plenty of other old OS'es out there which share this problem. Does anyone know if there is a list of the initial TCP sequence number patterns exhibited by the major operating systems and TCP/IP stacks? 3. Certification issues I've received lots of private Email on the subject of certification, and why this issue was not picked up in the ICSA (previously NCSA) tests. The general opinion was that ICSA testing is quite superficial and should be seen as a minimum acceptable level rather than a "gold standard". Another common theme was that certification was no substitute for independent testing of the "real world" connection. Roy Hills NTA Monitor Ltd -- Roy Hills Tel: 01634 721855 NTA Monitor Ltd FAX: 01634 721844 6 Beaufort Court, Medway City Estate, Email: Roy.Hills@nta-monitor.com Rochester, Kent ME2 4FB, UK WWW: http://www.nta-monitor.com/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:14 PDT