[Dshield] raptor vs. netscreen

Rainer Enders rainer at neoscale.com
Wed Mar 6 00:30:59 GMT 2002


Actually I remember this issue. I ran into this several months
ago. It turned out that with a certain version of ScreenOS it
actually worked. I believe it was 2.6.0 something. I do not
have access to this info right now but you can contact me 
offline and I'll probably be able to find it out. I never
figured out if this was a bug in that rev of the Software
or what made this version work.

Rainer

-----Original Message-----
From: efleckles at goodsill.com [mailto:efleckles at goodsill.com] 
Sent: Tuesday, March 05, 2002 3:31 PM
To: list at dshield.org
Subject: [Dshield] raptor vs. netscreen

I hope this doesn't start a wwf style brawl, as can happen when one asks
for
opinions concerning certain products.  Here's the extremely brief
scenario:
I have a raptor firewall, and my client has a netscreen firewall.  He
has
been unable to send email to my firm.  We went through agonizing
troubleshooting methods to determine why his server would/could not
finalize
the handshake.  As it turns out, raptor adds 1,000,000 to the last ack
sequence number to force a client reset- prevents IP spoofing and other
types of attacks.  However, netscreen uses really tight tcp/ip sequence
checking (not very effective from what i've read, can still be hijacked
by
man-in-the-middle style attacks), and thus drops the connection when
raptor
modifies the packets. 
I have been on the phone for the last several days with both vendors,
each
stating that their method is the best it's the other guys fault -
specifically netscreen states raptors trick is non rfc compliant, while
symantec states that it is within the rfc bounds and all they have to do
is
turn off sequence checking on the netscreen box.  Obviously my client
does
not wish to alter his firewall configuration, and I feel very stuck as I
would probably be the same way in his shoes.  Anybody have any thoughts
on
this?  I would love to be able to effectively convince him that my
firewall
is not being the troublemaker, and that it's a non issue to disable the
sequence checking.

TIA for all help

Eric Fleckles, MCSE
Technology Administrator
Goodsill Anderson Quinn & Stifel
(808)547-5821

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/list




More information about the list mailing list