cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
400
Views
0
Helpful
3
Replies

CSS and TCP Handshake question

awthomp
Level 1
Level 1

If I loadbalance a pair of SMTP servers through any of the CSS devices, does the CSS pass on the handshake prior to the arrival of SMTP data?

I have a situation with a pair of SMTP servers which are having thousands of TCP sessions opened , from thousands of different IP addresses. No data is ever sent. Instead, the client sends a FIN, and then stops responding, leaving the SMTP servers with piles of sessions stuck in CLOSE_WAIT.

I'm wondering if putting a CSS in between would prevent the sessions from being opened on my SMTP server ; the CSS switches can close and clean up dead flows much more effectively than my mail server.

Would the handshake from the CSS to the server be initiated before SMTP data arrives? and if so.. would the handshake be *closed* properly, even if the CSS never receives the final ack from the client?

The two Cisco reps I've spoken to so far can't get their heads around the question - i've been told that IPS has all the SMTP protection I'll need, or to use SMTP Fixup (which is already in place). They don't seem to grasp that its a direct TCP abuse - and for IPS , how do you find a negative "this client will not ack properly after this handshake is finished so block him?" ??

THanks for your help.

3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

in order for the css to terminate the tcp connection, you need to create an L5/L7 rule and this is only possible for a few protocols like ftp, http, ssl, sip.

But SMTP is not part of the list.

A firewall should most probably be able to do this.

Gilles.

Hm. There are PIX firewalls in place, and I know how to do fixup, but i'm unaware of how to make them terminate the TCP connection and *validate* it first. IPS doesn't seem to support this either. And CSS isn't the answer either..

*sigh*

I've seen a lot of verbiage about this problem on the net, i'm a bit surprised no one has a readily identifiable method to help.

ask your question on the security forum.

If this is common problem, you should get a response.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: