OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: TCP Sequence Prediction
From: Seth R Arnold (sarnoldWILLAMETTE.EDU)
Date: Wed Mar 29 2000 - 23:04:38 CST

* Dean Michael Dorman <DeanPUTNAMCOMPANY.COM> [000329 20:11]:
> Pardon me if this is a trivial question but after nmapping several servers I
> find that NT boxen usually come up with:
>
> TCP Sequence Prediction: Class=trivial time dependency
> Difficulty=6 (Trivial joke)
>
> I was wondering how to increase the security here (besides removing NT and
> installing OpenBSD).

(This is a guess, so if someone would correct me if I am wrong, I would
very much appreciate it. :)

I think the best way to make the tcp sequence more difficult to predict
is just that -- use another machine to generate the sequences. Rather
than replace all your NT boxen with OpenBSD you could instead place a
proxy between your NT boxen and your internet link; one that would
rewrite the sequences for you.

You could either use application proxies for individual services (such
as http) or you could use a NAT box, which (again, guessing ;) re-writes
the tcp sequence numbers.

If you need to protect the services from an internal session hijacking
threat as well as external, then you could hang each NT box on the other
side of a dedicated NAT box.

I think with this method you could get the cryptographically random
sequence numbers of OpenBSD while your users shouldn't notice any
differences in how they use the services.

HTH 

--
Seth Arnold | http://www.willamette.edu/~sarnold/
Hate spam? See http://maps.vix.com/rbl/ for help