[Dshield] raptor vs. netscreen

efleckles@goodsill.com efleckles at goodsill.com
Tue Mar 5 23:31:09 GMT 2002


I hope this doesn't start a wwf style brawl, as can happen when one asks for
opinions concerning certain products.  Here's the extremely brief scenario:
I have a raptor firewall, and my client has a netscreen firewall.  He has
been unable to send email to my firm.  We went through agonizing
troubleshooting methods to determine why his server would/could not finalize
the handshake.  As it turns out, raptor adds 1,000,000 to the last ack
sequence number to force a client reset- prevents IP spoofing and other
types of attacks.  However, netscreen uses really tight tcp/ip sequence
checking (not very effective from what i've read, can still be hijacked by
man-in-the-middle style attacks), and thus drops the connection when raptor
modifies the packets. 
I have been on the phone for the last several days with both vendors, each
stating that their method is the best it's the other guys fault -
specifically netscreen states raptors trick is non rfc compliant, while
symantec states that it is within the rfc bounds and all they have to do is
turn off sequence checking on the netscreen box.  Obviously my client does
not wish to alter his firewall configuration, and I feel very stuck as I
would probably be the same way in his shoes.  Anybody have any thoughts on
this?  I would love to be able to effectively convince him that my firewall
is not being the troublemaker, and that it's a non issue to disable the
sequence checking.

TIA for all help

Eric Fleckles, MCSE
Technology Administrator
Goodsill Anderson Quinn & Stifel
(808)547-5821




More information about the list mailing list