Tcp split handshake
-
Hi,
How does Pfsense 2.0 RC1 perform? (With standard Snort+ET enabled, 4Gb RAM)
http://www.nsslabs.com/research/network-security/firewall-ngfw/remediation/network-firewall-remediation-brief-for-tcp-split-handshake.html
http://news.techworld.com/security/3273840/firewall-software-open-to-tcp-handshake-hack-says-nss-labs/ -
I was wondering this as well after reading the news. This seems to be one of the better descriptions of the actual mechanics of the TCP split handshake (and is free): http://nmap.org/misc/split-handshake.pdf
Also it looks like nmap had a discussion last year about implementing split handshake detection which may be useful in testing: http://seclists.org/nmap-dev/2010/q2/723
-
This is sort of important, no?
I'm not that knowledgable to comment, sure there has to be some bright folks here that know this answer…
Is PFSense up to the task?
-
We've had a couple people look over that "announcement" and conclude there isn't enough detail to say anything for certain. Seems like something the OpenBSD folks would be all over if pf was vulnerable, and FreeBSD as well. Googling turns up a lack of relevant results. Lots of people discussing it but no authoritative answers. The best info was the older links already posted here. Has anyone actually tried the nmap split handshake scans against a pfSense firewall to see if it made any difference?
-
Has anyone actually tried the nmap split handshake scans against a pfSense firewall to see if it made any difference?
Without a tool I wouldn't have a clue how. Wouldn't something this important get incorporated into tools like Metasploit? Nothing shows up when searching there.
http://www.metasploit.com/modules/
