Announcement

Collapse
No announcement yet.

Stateful Inspection issue ISA 2006

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Stateful Inspection issue ISA 2006

    Hi,

    Today me and my colleques find something quite interesting with ISA 2006.
    According our testenviroment ISA 2006 isn't that Stateful as they claimed to be.
    Although I know this is quite a statement, I will show you what we have noticed.

    First the image:


    Ok we have a client which want to telnet to an IP adress on the right switch.

    In this case we leave the Asymmetric routing as it is.

    Syn packet has been send from the client to the switch through the ISA server.
    Syn ACK packet will not be send trough the ISA server because the default route is bypassing ISA server.
    However the client will respond with an ACK packet trough the ISA server and for somehow the ISA server accept this.

    We can telnet to the box, and as long we will press the Enter key (or any other key to keep alive the session) the telnet session will be kept alive.
    If we stop pressing the Enter key, the session will be killed after 60 seconds. But every time we press the Enter key the 60 second counter will be reset

    So a snap from the trace, I've blacked out the Ipadresses but trust me, the sources are correct.



    In the red outlines you'll find the interesting traffic. Let's analyze:
    Client send SYN packet. Check!
    Now we expect a SYN-ACK (where is he???)
    Than the client send a ACK Packet (because of the Asymmetric routing the client gets his SYN-ACK)

    Than we have telnet DATA??????

    Ok so we can connect to a server (or in this case a switch) without that ISA 2006 has checked if the three-way handshake was correct??

    If we correct the routing on the right switch to the ISA server everything works fine.

    So my state:
    Stateful inspection on the ISA server won't work as it supposed to be.
    It doesn't check the three-way Handshake.

    So how do you guys think of this???
    Attached Files
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"


  • #2
    Re: Stateful Inspection issue ISA 2006

    Ps, according microsoft:

    http://www.microsoft.com/technet/isa...esiliency.mspx

    • Connection flood mitigation. ISA Server validates that the three-way handshake packets required in a sequence are valid. This avoids establishing TCP connections to or through ISA Server from spoofed source IP addresses.
    So it looks like this won't work....
    Last edited by Dumber; 20th March 2008, 20:49.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Stateful Inspection issue ISA 2006

      Nobody who has a opinion about this?
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: Stateful Inspection issue ISA 2006

        We had an issue like this and it turned out to be a setting on the firewall for the TCP timeout.

        Don't have ISA though so i could be very wrong.

        Comment


        • #5
          Re: Stateful Inspection issue ISA 2006

          Well, it should be inpossible to connect to a in this case a switch.
          The ISA Server never sees the SYN-ACK and so he should drop the ack and all other data.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Stateful Inspection issue ISA 2006

            Have you tried to post it on http://www.isaserver.org?

            Comment


            • #7
              Re: Stateful Inspection issue ISA 2006

              No not yet. currently I'm rebuilding my testenviroment but as soon as I get this up again I think posting this on ISAserver.org.

              My main worries is that I can send data while the threeway handshake isn't completed.

              So in other words for just an example:
              Imaginge the following rule:

              Source IP 1.2.3.4 from a colleque.
              destination IP 3.4.5.6 from a DC.
              protocols: RDP
              Username admin and password abc123! from the DC

              Imaginge I'm a system administrator and I'm fired.
              I know an Admin password and I know a ipaddress of one of my colleques.

              If I spoof his IP address and I send a SYN and a ACK package theoratically I can start a RDP session while ISA should detect that the three way handshake isn't completed.

              If this works, there is a Major flaw within ISA Server.
              I haven't tested this yet, however I'm sure that there are issues with the earlier setup which i made in the drawing.
              The fact that he doesn't see the SYN-ACK and just allowing traffic when the TCP is setting up is quite wrong.
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Stateful Inspection issue ISA 2006

                Make my day!

                Comment


                • #9
                  Re: Stateful Inspection issue ISA 2006

                  Added:

                  This is how the trace should look like.
                  Attached Files
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: Stateful Inspection issue ISA 2006

                    Just an ordinary kick
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Stateful Inspection issue ISA 2006

                      And a new kick, also for me as a reminder to have a look at it again
                      Marcel
                      Technical Consultant
                      Netherlands
                      http://www.phetios.com
                      http://blog.nessus.nl

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"

                      Comment

                      Working...
                      X