(Note: This message was posted as part of the "Ask the Expert" Event on configuring Cisco IPSec VPNs that took place December 11 - December 21. Feel free to respond to or form discussions around this question.)

Posted by: davesiwula@ yahoo.com - INTERNET SECURITY ENGINEER, NETWORK RANGER

I have implemented a PIX 520 into production and have been experiencing a problem with it. It appears that someone from the outside has been able to sneak in a telnet packet after lets say 50 or so normal packets pass through. If a legitimate connection is established from the outside world, and fifty or so packets come from a legitimate source and the source address, destination address all remain the same. Then the port on the 50th packet is changed from http 80 to 23 telnet. Is there anything I can to prevent this from happening? Does the pix inspect every single packet by default? Does this have to do with it being stateful? I need to prevent my network from these kinds of issues. Please advise. Also could you inform me of how the PIX handles packets that are lets say less than the normal size? Thanks for your time.

One more thing if you have time:

I am very confused on a ip fragment attack, sig id

1110

Generally speaking I understand what it is but I have been not been able to understand the greater than 0 less than 5 rule for the life of me. I have disected the ip packet in every possible and cannot figure this out. How does the value of 1 through 4 trigger in the fragment offset field trigger this alarm? Why is 0 and 5 in this field considered normal? Does 1 represent 8 bits, 2 16 bits and so on? If so I am still lost?

Thanks for your help.

David Siwula

CCNP+security CCDP