Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Response to "TCP Split Handshake Attack" vulnerability in Juniper SRX firewalls



Article ID: JSA10476 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 1.0
Legacy Advisory Id:
Product Affected:
SRX Series Firewalls running Junos
SSG Series, ISG Series, and NetScreen Firewalls running ScreenOS

On April 12, 2011, Network World published an article highlighting a study by NSS Labs entitled "Network Firewall 2011 Comparative Test Results." The study describes a previously released TCP Split Handshake Attack that reportedly allows access through firewall products from multiple vendors, including the Juniper Networks SRX Series firewall.

Juniper Networks is aware of the Network World article and has confirmed that a viable, easily configurable mitigation exists within our firewall products. KB20877 was released on April 14, 2011, to address concerns raised by the article and NSS Labs report. What follows is a summary of the information provided in the KB article.

In Junos on the SRX Series, the 'strict-syn-check' option, enabled under the [security flow tcp-session] hierarchy, enforces a strict three-way handshake check for TCP sessions, enhancing security by dropping data packets received before the three-way handshake has completed. Enabling the 'strict-syn-check' option completely blocks the TCP Split Handshake attack.

ScreenOS provides protection against the TCP Split Handshake Attack by enabling strict SYN checking using the CLI command 'set flow tcp-syn-check strict'.

No other Juniper Networks products, including the Secure Access (SA) and Infranet Controller (IC) appliances, are vulnerable to this firewall evasion technique.
CVSS Score:
Severity Level:
Severity Assessment:
CVSS Overall Score: 3.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:P/RL:W/RC:C)

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search