12-15-2015 11:56 PM
Any info about Firestorm bug and Palo Alto Firewall ??
12-16-2015 01:11 AM
If i understand this correctly it has nothing to do with NG fw, application recognition or anything like this.
Every firewall allows 3-way TCP handshake if there is apropriate rule in policy. It has nothing to do with application policy or anything. If you can extract data through TCP hadnshake it doesn't matter if it's allowed as layer 4 rule (allowed by destination port 80) or as layer 7 rule (allowed as web-browsing). It's more something that should be fixed as part of IPS policy or zone protection in PA case which should check validty (or compliance) of SYN, SYN-ACK and ACK packets and not allow any data there.
12-16-2015 02:10 AM - edited 12-16-2015 02:11 AM
You should have custom reports in place to detect this kind of behaviour.
For example if some device in your network has loads of sessions with "incomplete" and "insuficient-data" applications then it is worth taking a look as it is indicator of compromise.
12-16-2015 05:44 AM
I think the nuance here that Palo Alto is missing and I would hope would update in PanOS, is that the inclusion of data in the syn packet during the handshake is a violation of the strict tcp syn handshake outlined in RFC 793.
Thus it is entirely reasonable to drop the connection at the point where the syn plus data packet is received. And this is indeed how strict tcp syn check works on both Juniper and Checkpoint firewalls.
Hopefully, the PA team will recognize that having strict tcp syn check is a feature that should be on by default to prevent this type of invalid communication.
12-16-2015 06:53 AM
12-16-2015 11:49 PM
I agree with all that. But an option for strict checking of SYN packets would still be nice feature.
12-28-2015 05:11 PM - edited 12-31-2015 02:05 AM
http://www.rfc-base.org/rfc-7413.html however I fail to see the importance of allowing SYN with data or not.
2. Data in SYN Standard TCP already allows data to be carried in SYN packets ([RFC793], Section 3.4) but forbids the receiver from delivering it to the application until the 3WHS is completed. This is because TCP's initial handshake serves to capture old or duplicate SYNs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!