[Dshield] raptor vs. netscreen

Peter Crowder peter at cologic.co.nz
Wed Mar 6 00:36:46 GMT 2002


Hello Eric,

We did have a similar problem with a client trying to access our web site
from behind a Netscreen firewall.

What you may find is that the Raptor has the SYN Flood protection still
turned on, which is why the Netscreen is getting upset. 

This is enabled by default on the Raptor. And is only supposed to be used
when a flood attack is suspected.

To turn it off goto the properties of the External Interface and in Options,
uncheck SYN flood protection.

see how you go

cheers

Peter Crowder

Systems Engineer
E-Secure-IT Alert Centre
www.e-secure-it.co.nz


-----Original Message-----
From: efleckles at goodsill.com [mailto:efleckles at goodsill.com]
Sent: Wednesday, March 06, 2002 12:31 PM
To: list at dshield.org
Subject: [Dshield] raptor vs. netscreen


I hope this doesn't start a wwf style brawl, as can happen when one asks for
opinions concerning certain products.  Here's the extremely brief scenario:
I have a raptor firewall, and my client has a netscreen firewall.  He has
been unable to send email to my firm.  We went through agonizing
troubleshooting methods to determine why his server would/could not finalize
the handshake.  As it turns out, raptor adds 1,000,000 to the last ack
sequence number to force a client reset- prevents IP spoofing and other
types of attacks.  However, netscreen uses really tight tcp/ip sequence
checking (not very effective from what i've read, can still be hijacked by
man-in-the-middle style attacks), and thus drops the connection when raptor
modifies the packets. 
I have been on the phone for the last several days with both vendors, each
stating that their method is the best it's the other guys fault -
specifically netscreen states raptors trick is non rfc compliant, while
symantec states that it is within the rfc bounds and all they have to do is
turn off sequence checking on the netscreen box.  Obviously my client does
not wish to alter his firewall configuration, and I feel very stuck as I
would probably be the same way in his shoes.  Anybody have any thoughts on
this?  I would love to be able to effectively convince him that my firewall
is not being the troublemaker, and that it's a non issue to disable the
sequence checking.

TIA for all help

Eric Fleckles, MCSE
Technology Administrator
Goodsill Anderson Quinn & Stifel
(808)547-5821

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/list




More information about the list mailing list