Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACK Tunneling

While a reflexive acl theoretically can prevent ack tunneling how would one implement that on the Pix firewalls? Is it more appropriate to apply reflexive acl's on the interior routers?

This question is in regards to the 'newly released Windows 2000 trojan at

http://www.ntsecurity.nu/toolbox/ackcmd/'

3 REPLIES
New Member

Re: ACK Tunneling

The PIX firewall stateful packet filtering ensures that a packet received with an ACK will be checked against the existing state table to make sure that the packet is expected. It will check source and destination ip's, port #'s, tcp sequence #'s, and for some applications, the application layer as well.

This capability is implemented automatically on the pix - no additional configuration is required. And no, the pix is the more appropriate place to apply this kind of protection.

HTH

Jeff

New Member

Re: ACK Tunneling

Please read http://www.ntsecurity.nu/papers/acktunneling/ to understand my concerns.

New Member

Re: ACK Tunneling

As Jeff explained, this vulnerability does not apply to PIX firewalls. The PIX checks ALL incoming packets to check it vadility. The article refers to those firewall that check to first (SYN bit set) packet only.

209
Views
0
Helpful
3
Replies
CreatePlease login to create content