Q: My company has been trying to figure out how we can do better at connecting our remote users to our main site, as well as making our other location seem like it’s right next door. Any advice?
Updated May 9th: After a thorough investigation of the TCP Split Handshake issue raised by NSS Labs, Cisco has confirmed that the Cisco ASA firewall is not susceptible to this issue. In all test cases examined, the ASA operates as expected, providing protection in its default configuration against the Split-Handshake as defined in the original TCP Split Handshake paper. As a result, the Cisco PSIRT closed this investigation on May 4th.
Cisco appreciates the extended engagement and data provided by NSS Labs as we’ve worked through these scenarios. During two recent visits to NSS Labs, Cisco was presented with a number of scenarios, including new test cases that deviated from the original Split-Handshake scenario. The Cisco PSIRT collected traces and provided feedback to NSS Labs on all scenarios. In each case, Cisco demonstrated successful network protection through the default ASA configuration or the implementation of firewall policies that are fully supported, documented and used pervasively in enterprise deployments.
As always vulnerability reports should continue to be reported to the PSIRT organization (email@example.com). Cisco customers are encouraged to contact their account manager with any questions.
Recently there’s been some activity in the press regarding an NSS Labs report on potential vulnerabilities in Next-Generation Firewalls (NGFW). The Cisco Adaptive Security Appliance (ASA) was one of the products mentioned as vulnerable to these attacks. Based on the investigation of this issue to date, the data indicates that Cisco customers are not exposed to this issue. As always, should the vulnerability be confirmed the Cisco Product Security Incident Response Team (PSIRT) will investigate, drive remediation and disclose per our normal communication channels. (PSIRT Vulnerability Policy)
On April 12th, NSS Labs published a report regarding vulnerabilities on a number of firewalls, including Cisco’s ASA product line. The full report has a hefty $3500 price tag, but NSS does provide a free (with registration) “Remediation Guide,” for users of these firewalls.
The NSS Labs Remediation Guide incorrectly lists the Cisco ASA as vulnerable to the TCP Split Handshake attack, and also mentions that there are no steps available to customers to mitigate or remediate this attack.
Following an investigation over the course of several months, involving well over a dozen Cisco engineers from various teams and working in conjunction with NSS Labs, no vulnerability of this nature has been observed on Cisco products. The following products have been investigated:
- Cisco ASA
- Cisco IOS Firewall
- Cisco Intrusion Protection (IPS) Appliances
It’s important to note that the NSS Labs report focuses only on one attack called the TCP Split Handshake, which is a third means to initiate TCP sessions that combines features of both the three-way handshake and the simultaneous-open connection.
However, the goal of this post isn’t to discuss the technical details of TCP handshakes, but rather to present what Cisco has done and is doing to investigate the impact to our products and protect our customers.
So here we are, in the middle of March Madness. Lots of people that don’t normally follow college basketball, but still a great social environment and an opportunity to get together and pretend we know the teams we all picked in our brackets. Sometimes we pick based on “loyalty” and other times there are other reasons. We all have various “borders” we deal with every day.
So, bring on Borderless Networks. In the manufacturing area we still tend to think of a “border” between the factory and the business. After all, how can those people in the front office know what we need in the factory, right? Well, that separation gets smaller and smaller every day. Why? Because we’ve blurred the border. Sure, there are appropriate firewalls and security between the various layers. But every day we run into people that tell about needing data from the plant, from the machine, from the supplier, from the sales force, from the channel, from the customer. And sometimes we’re not in the office, we may be at home, at a different supplier, in an airport, at a concert or ball game with our kids.
The point becomes, there is data there and I am not there but I need to make a call and affect my plant productivity or answer a question from my CEO because there is a big opportunity or a major customer disappointment about to happen.