10-12-2010 07:20 AM - edited 03-11-2019 11:53 AM
I trying to stop the RFC 1323 Timestamp leak (Nessus ID 25220), I have add the following commands to our PIX firewall. Test still comeback positive.
access-list 100 deny icmp any any timestamp-request
access-list 100 deny icmp any any timestamp-reply
icmp deny any outside
icmp deny any inside
Solved! Go to Solution.
10-12-2010 07:31 AM
You are dropping icmp timestamps. You need to clear the TCP timestamps.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpnorm.html explains how, and the config will look like
tcp-map tmap
timestamp clear
access-list tcp-acl permit tcp any any
class-map tcp-class
match access-l tcp-acl
policy-map pmap
class ts-class
set connection advanced-options tmap
service-policy pmap global
Let us know if it helps.
PK
10-12-2010 07:31 AM
You are dropping icmp timestamps. You need to clear the TCP timestamps.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpnorm.html explains how, and the config will look like
tcp-map tmap
timestamp clear
access-list tcp-acl permit tcp any any
class-map tcp-class
match access-l tcp-acl
policy-map pmap
class ts-class
set connection advanced-options tmap
service-policy pmap global
Let us know if it helps.
PK
10-12-2010 10:59 AM
Solution worked, thanks.
tcp-map tcp-map-timestamp
tcp-options timestamp clear
class-map class-map-timestamp
match any
policy-map policy-map-timestamp
class class-map-timestamp
set connection advanced-options tcp-map-timestamp
service-policy policy-map-timestamp global
10-12-2010 11:28 AM
That is good news!
Please mark the thread as Answered so that others can benefit in the future.
Take care,
PK
12-17-2013 05:37 PM
Hi hope everyone is fine.
It didnt work for our case. Our vendor simplified to command and after implementing it I still get the TCP timestamp vulnerability for hosts behind the FW. Is this command suppose to clear all TCP timestamp request for hosts behing the FW or is it simply just for the FW?
tcp-map tmap-timestamp
tcp-options timestamp clear
policy-map global_policy
class global-class
set connection advanced-options tmap-timestamp
Hope anyone can shed some light on what we did wrong or an alternate solution.
Regards,
Mon
06-27-2018 03:52 PM - edited 06-27-2018 03:55 PM
Hi Panos,
I can clear timestamps, using tcp-map, but I've read PAWS is going to be disabled, and this might cause many TCP sessions to be reset, PAWS uses the TCP Timestamps option defined in Section 4 of RF 1323 to protect against old duplicates from the same connection (¿issue to future?).
https://www.ietf.org/rfc/rfc1323.txt
in other side found that RFC 1948 could solve the Vulnerability, therfore how do you for apply RFC in my Cisco ASA? 5585X (however it is not perfect and it also brings problems)
I remain attentive for your feedback.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide