Knowledge Search


×
 

Response to "TCP Split Handshake Attack" vulnerability in Juniper SRX firewalls

  [JSA10476] Show Article Properties


Legacy Advisory Id:
PSN-2011-04-229
Product Affected:
SRX Series Firewalls running Junos
SSG Series, ISG Series, and NetScreen Firewalls running ScreenOS
Problem:

On April 12, 2011, Network World published an article highlighting a study by NSS Labs entitled "Network Firewall 2011 Comparative Test Results." The study describes a previously released TCP Split Handshake Attack that reportedly allows access through firewall products from multiple vendors, including the Juniper Networks SRX Series firewall.
Solution:

Juniper Networks is aware of the Network World article and has confirmed that a viable, easily configurable mitigation exists within our firewall products. KB20877 was released on April 14, 2011, to address concerns raised by the article and NSS Labs report. What follows is a summary of the information provided in the KB article.

In Junos on the SRX Series, the 'strict-syn-check' option, enabled under the [security flow tcp-session] hierarchy, enforces a strict three-way handshake check for TCP sessions, enhancing security by dropping data packets received before the three-way handshake has completed. Enabling the 'strict-syn-check' option completely blocks the TCP Split Handshake attack.

ScreenOS provides protection against the TCP Split Handshake Attack by enabling strict SYN checking using the CLI command 'set flow tcp-syn-check strict'.

No other Juniper Networks products, including the Secure Access (SA) and Infranet Controller (IC) appliances, are vulnerable to this firewall evasion technique.
Related Links:
CVSS Score:
4.3
Risk Level:
Medium
Risk Assessment:
CVSS Overall Score: 3.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:P/RL:W/RC:C)