Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1231
Views
0
Helpful
3
Replies

ACK Tunneling

admin
Level 1
Level 1

‎09-16-2002 06:59 AM - edited ‎03-09-2019 12:19 AM

While a reflexive acl theoretically can prevent ack tunneling how would one implement that on the Pix firewalls? Is it more appropriate to apply reflexive acl's on the interior routers?

This question is in regards to the 'newly released Windows 2000 trojan at

http://www.ntsecurity.nu/toolbox/ackcmd/'

Labels:
0 Helpful
3 Replies 3

jekrauss
Level 1
Level 1

‎09-16-2002 03:14 PM

The PIX firewall stateful packet filtering ensures that a packet received with an ACK will be checked against the existing state table to make sure that the packet is expected. It will check source and destination ip's, port #'s, tcp sequence #'s, and for some applications, the application layer as well.

This capability is implemented automatically on the pix - no additional configuration is required. And no, the pix is the more appropriate place to apply this kind of protection.

HTH

Jeff

0 Helpful

admin
Level 1
Level 1
In response to jekrauss

‎09-18-2002 05:47 AM

Please read http://www.ntsecurity.nu/papers/acktunneling/ to understand my concerns.

0 Helpful

rrbleeker
Level 1
Level 1

‎09-19-2002 01:14 PM

As Jeff explained, this vulnerability does not apply to PIX firewalls. The PIX checks ALL incoming packets to check it vadility. The article refers to those firewall that check to first (SYN bit set) packet only.

0 Helpful
Customers Also Viewed These Support Documents