I'm wondering whether is there a way to set the PAN Firewall to detect and drop TCP 1323 Timestamp queries to servers?
According to some web vulnerabilities scanning reports, it is reccomended to disable the TCP Timestamp as it discloses server uptime information, allowing attackers to guess the OS patch status.
In the recent Windows server OS (2008 and R2), disabling the TCP1323opts in registry doesn't seem to disable to the Timestamp responses as nmap scan test will still be able to get the uptime information.
In some web scanner reports, there are reccomendations to set in cisco firewalls to disable tcp timestamp eg, (no ip tcp timestamp).
Appreciate the reponse,
Not that im aware of.
Disabling timestamps should be done at the endpoints if you want to block timestamp information.
Easy to do in a linuxbox:
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
Did you reboot your windowsbox before you did the new nmap test?
Also verify with pcap so the uptime which nmap picks up isnt from some application running on your server.
The "no ip tcp timestamp" is usually for traffic that the cisco device itself generates (such as stuff from its mgmt-interface etc) and not for traffic that passes through.
However note that timestamps are part of "high performance tcp" if I remember it correctly so disabling timestamps could in some situations be bad (http://www.ietf.org/rfc/rfc1323.txt).
Also instead of altering the registry try to use this cmdline instead:
netsh int tcp set global timestamps=disabled
You might need a reboot afterwards aswell...
Interestingly, for me it is the PALO ALTO 5200 series Vers 8.1 that IS RESPONDING to timestamp requests from a desktop.
Why? I don't know. Why offer discovery information that a hacker could use? We have PING enabled on the interface--but I don't see any way to stop it from answering these esoteric ICMP queries.
It is also being asked for ADDRESS MASK (ICMP), but at least it doesn't respond to that.
It is possible to drop packets with the timestamp option set through a Zone Protection profile.
Network -> Zone Protection -> Packet Based Attack Protection -> IP Drop -> Timestamp.
The zone protection profile would then be applied to the ingress zone, untrust.
In my case, the Rapid7 reported this vulnerability on PA5020 and PA5220:
Vulnerability Title: TCP timestamp response
Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.
The scanning was ran to the MGMT interface, that's why the Zone Protection Profile won't work in this case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!