PIX Question

Can anybody explaing how the TCP random sequence number change that the Pix does actually prevents session hijacking? From what I gather, all this does is change the seq number in the original packet to a different random seq number in the translated packet.

Thanks!

Find more posts tagged with

Comments

darkuser

the normal tcp sequence number is predictable
the pix randomizes it so it's not predictable
this is transparent to the two parties participating in the 3 way handshake.

rewind

darkuser wrote:

the normal tcp sequence number is predictable
the pix randomizes it so it's not predictable
this is transparent to the two parties participating in the 3 way handshake.

Thanks for responding! How is the original tcp sequence number predictable? I thought that it was choosen at random by the host for each new session?

tiersten

Old TCP stacks used a timer to generate the ISN. This was predictable so most new TCP stacks have changed over to randomizing the ISN. They will randomize the increment as well.

The PIX can do this or the actual device behind the PIX can do it. If the device is already doing it then you should disable it on the PIX. The PIX will have to do more work as it needs to keep track of more things.

rewind

tiersten wrote:

Old TCP stacks used a timer to generate the ISN. This was predictable so most new TCP stacks have changed over to randomizing the ISN. They will randomize the increment as well.

The PIX can do this or the actual device behind the PIX can do it. If the device is already doing it then you should disable it on the PIX. The PIX will have to do more work as it needs to keep track of more things.

Good to know. Thanks!