Doubt on Connection establishment through ASA.

Suppose an inside user A  establishes connection through ASA to any outside server (Let say Server B) on port 80. ASA build xlate table, connection table and state table for this connection and maintain it for a period of time. My concern is , will ASA allow if Server B wants to connect user A taking all fields same(Source & Destination IP ,Source & Destination port, TCP seq and Ack no) during or after the communication ? Since Connection entry already exist in ASA while user A had initiated the connection for server B, ASA should allow the newly generated connection.

Comments

  • Theoretically no. This type of flaw in the firewall is typically called a "piggyback" connection.  This means that someone on the outside network is able to ride a connection back in that originally came from the inside.  

    To prevent this, what the ASA *should* do (emphasis on should) is look at the 3 way handshake and then the maintenance of the tcp session. Once a RST is sent or received to close the connection, it will be deleted from the state table. Also the ASA should never allow SYN in from the outside on it's own without SYN ACK. This means it allows the response to a handshake from outside in, but never allows the initiation of handshake from outside in.

    AFAIK the only way to implement this attack against ASA is to spoof the destination on the outside and then accurately predict the TCP sequence numbers back to the source on the inside. Although it's technically possible to do this, it's highly *highly* improbable to implement.  

    Google TCP session highjacking for more info on this type of attack. 

    HTH,

    Brian McGahan, CCIE #8593 (R&S/SP/Security)
     
    Internetwork Expert, Inc.
    Toll Free: 877-224-8987 x 705
    Outside US: 775-826-4344 x 705
    Online Community: http://www.IEOC.com

    On Feb 1, 2011, at 1:42 PM, "syedha" <[email protected]> wrote:

    Suppose an inside user A  establishes connection through ASA to any outside server (Let say Server B) on port 80. ASA build xlate table, connection table and state table for this connection and maintain it for a period of time. My concern is , will ASA allow if Server B wants to connect user A taking all fields same(Source & Destination IP ,Source & Destination port, TCP seq and Ack no) during or after the communication ? Since Connection entry already exist in ASA while user A had initiated the connection for server B, ASA should allow the newly generated connection.




    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
Sign In or Register to comment.