Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
366
Views
0
Helpful
4
Replies

ISE v3.3 tcp timestamp responses.

kscott11256
Level 1
Level 1

‎01-16-2025 09:04 AM

I have 3 SNS-3615 servers running ISE v3.3 Patch 3.  Two of them are in a deployment, the 3rd is configured but is a stand-alone and is only there as a spare.  In our latest vulnerability scan, TCP timestamp response (generic-tcp-timestamp) came up as a vulnerability for the 2 servers in the deployment, but the stand-alone server was not flagged with this vulnerability.

I have tried to scan through and compare configurations but can't find anything different.  Does anyone know if there is a configuration setting to disable the tcp timestamp response in ISE v3.3 Patch 3?

Labels:
0 Helpful
4 Replies 4

ahollifield
VIP
VIP

‎01-16-2025 09:21 AM

Why is it a spare and not part of the same deployment?  Can you post more details on the actual vulnerability report?  When a server is in standalone mode, there are several services that do not run since there is no need for a single node.

0 Helpful

kscott11256
Level 1
Level 1
In response to ahollifield

‎01-16-2025 09:47 AM

It is not part of the deployment because it's a spare, just pre-configured and ready in case one of the 2 deployed ones goes down.  We only needed 2 but were given 3 servers plus it makes a good test server for upgrades/updates but since it was configured, the security team wants it scanned.

The full vulnerability message from the rapid 7 scan is as follows;

TCP timestamp response (generic-tcp-timestamp)

Description:

The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks.  Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.

Affected Nodes:

x.x.x.x     |     Able to determine system boot time.

x.x.x.x     |     Able to determine system boot time.

 

I apologize, I cannot copy / paste here as the network these are on is an internal network and not internet facing 

0 Helpful

Marcelo Morais
VIP
VIP

‎01-22-2025 03:28 PM

Hi @kscott11256 

 interesting point ...

 A Distributed Deployment uses:

  • TCP 6379 for Replication and Synchronization
  • TCP 9300 for ElasticSearch
ise/admin# show ports
 ...
 tcp: <ISE IP Addr>:9300, <ISE IP Addr>:9301, <ISE IP Addr>:6379
 ...

 

 A Standalone Deployment do not use this Ports (since ALL Roles are "internal"):

ise/admin# show ports | include 9300

ise/admin# show ports | include 6379

 

Please, double check if this is your case (Rapid 7 using these ports, for example).

 

Note: also take a look at Cisco ISE 3.3 Port Reference.

 

Hope this helps !!!

0 Helpful

ammahend
VIP Alumni
VIP Alumni

‎01-22-2025 06:52 PM

I don't think you can disable it from GUO or CLI atleast as ADE-OS level, you can contact TAC and understand its potential effects and try this from root

sysctl -w net.ipv4.tcp_timestamps=0

-hope this helps-
0 Helpful
Top