ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Pawel_Syc
Posts: 6
Registered: ‎11-09-2007
0

Is there a TCP three way handshake required to create session on NetScreen firewalls?

Is there a TCP three way handshake required to create session on NetScreen firewalls?
My customer have environment with several connections between branch offices and HQ and has observed that if some traffic goes assymetric the session on firewall is created.
Only traffic for one direction was passed through the firewall, so the device sees only SYN from A to B and after a while ACK from A to B.
The SYN-ACK message between the messages is going thoug the other route.
After that the data packets was sent and device pass the traffic even if syn-check was enabled and even when sequence number checking was enabled.
Which messages are required to pass through the NetScreen to create session on device?
Recognized Expert
sfouant
Posts: 190
Registered: ‎11-28-2007
0

Re: Is there a TCP three way handshake required to create session on NetScreen firewalls?

[ Edited ]
If you've got SYN checking enabled (which it is by default), incoming packets which do not match a current session must have the SYN bit set.  If a packet arrives and it has the SYN bit set and there is a policy which allows the traffic the session state will be created at this time.  However, if you've got SYN cookies enabled the behavior is a little different.  In this case, the device acts as a proxy, and sends a SYN/ACK back to the originating host with a computed cookie value as it's Initial Sequence Number.  If the originating host responds appropriately with an ACK with legitimate cookie response information, the security device will create the session and forward the packet (again assuming there is an appropriate policy which allows the traffic).


Message Edited by sfouant on 11-29-2007 06:43 AM
Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Visitor
Pawel_Syc
Posts: 6
Registered: ‎11-09-2007
0

Re: Is there a TCP three way handshake required to create session on NetScreen firewalls?

Why the traffic was allowed without SYN-ACK from destination host?
It is an easy way to pass the spoofed traffic even using TCP protocol.
SYN SYN-ACK ACK sequence is a protection against spoofing.
If the destination host does not have to reply to session initiation,
then it is also a simple solution to fulfill session table on the NS box
or pass the traffic from spoofed souce IP address.
Recognized Expert
sfouant
Posts: 190
Registered: ‎11-28-2007
0

Re: Is there a TCP three way handshake required to create session on NetScreen firewalls?

If your device is creating sessions for packets without the SYN bit set I would suspect you don't have the SYN checking enabled.
 
For normal traffic - 'set flow tcp-syn-check'
For VPN traffic - 'set flow tcp-syn-check-in-tunnel'
Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Visitor
Pawel_Syc
Posts: 6
Registered: ‎11-09-2007
0

Re: Is there a TCP three way handshake required to create session on NetScreen firewalls?

If you unset flow tcp-syn-check, you may pass any packet to create session on a NS box.
Even if it is not a SYN packet.
If you set flow tcp-syn-check the first packet in the traffic must be SYN, but SYN-ACK from the requested host is not required.
Even if you enter 'unset flow no-tcp-seq-check', when the sequence numbers are checked, the described problem occurs.
Recognized Expert
sfouant
Posts: 190
Registered: ‎11-28-2007
0

Re: Is there a TCP three way handshake required to create session on NetScreen firewalls?

[ Edited ]

Pawel_Syc wrote:
If you unset flow tcp-syn-check, you may pass any packet to create session on a NS box.
Even if it is not a SYN packet.
If you set flow tcp-syn-check the first packet in the traffic must be SYN, but SYN-ACK from the requested host is not required.
Even if you enter 'unset flow no-tcp-seq-check', when the sequence numbers are checked, the described problem occurs.


If you're worried about a host potentially filling up the session table by continually initiating SYN-ACK-ACK sessions, you can minimize this attack by enabling the SYN-ACK-ACK proxy protection.   When you enable this the device monitors the number of connections from the same IP address and once the syn-ack-ack-proxy threshold is surpassed the security will device reject further connection attempts from that address.
 
 


Message Edited by sfouant on 11-29-2007 03:04 PM
Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.