R1--(Internal)CP_NGx_R61_hfa_01(External)--R2
I found something interesting during the troubleshooting
process:
scenario #1: In the security policy, I allowed R1 to
establish bgp session with R2 but I did NOT allow R2 to
establish bgp session with R1 in the security policy.
Even with everything enable in the smartdefense fingerprint
section, R1 can establish bgp session using md5 authentication.
Looking at the tcpdump on both the internal and external
interfaces, I notice that the Sequence Number (SN) does not
change when traversing the interface when R1 inititate it
bgp session with R2. That's why I am suspecting BGP with
md5 authentication works between R1 and R2 across the
checkpoint firewall.
Scenario #2: In the security policy, I allowed R2 to
establish bgp session with R1 but I did not allow R1 to
establish bgp session with R2 in the security policy.
Furthermore, I have all the smartdefense fingerprinting
in place as I did with scenario #1.
To my suprise, I successfully BREAK bgp sessions between
R1 and R2. Upon looking at the tcpdump on both the
External and Internal interfaces, I do see that the
Sequence Number (SN), the first packet, SYN , when going from
R2 to R1, when it traverses the firewall, stays the same.
However, the "SYN-ACK" when coming back from R1 to R2,
it was completely different when it leaves the External
interface compared to when it arrives to the Internal
interface. That's why it breaks bgp with md5 authentication.
Basically, when R1 initiated that bgp session, everything works
and the SN stays the same. However, when R2 initiated the
bgp session, it breaks because the SN got modified on the return.
Very interesting problem.
Hugo van der Kooij <hvdkooij AT VANDERKOOIJ DOT ORG> wrote:
On Sat, 7 Apr 2007, cisco4ng wrote:
> you said:
> "At present you make an assumption here based on what 2
>> routers do with BGP without the data to tell exactly what is going on.
>>
>> You may very well be putting Check Point on the wrong foot by not
>> including the proper data."
>
> My assumption is a very valid assumption. By having iBGP with md5
> authentication working across the CP firewall, it proved that the TCP
> sequence number was never randomized by the CP firewall, at least with
> BGP traffics. Otherwise, my iBGP would not have worked, as desmonstrated
> by the link provided by Cisco.
You assume that it must break BGP. But that is not the way to stop BGP. If
you do not want BGP traffic then do not allow it in your rules. It is that
simple.
BGP is known to be volatile with MD5 traffic. So the exception to BGP
might be there intentionaly. Did you test other traffic? And if you can
not document this with packet traces then you are not explaining things
properly. You have the setup so you can provide those traces in minutes.
If you wait for someone else to build a setup you are not very efficient.
And as far as this thread goes. Untill now you did not tell us wether you
are using NGX R65 or NGAI R55 or ....
So please be accurate on your report to a mailinglist.
Hugo.
--
hvdkooij AT vanderkooij DOT org http://hugo.vanderkooij.org/
This message is using 100% recycled electrons.
Some men see computers as they are and say "Windows"
I use computers with Linux and say "Why Windows?"
(Thanks JFK, for the insight.)
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Get your own web address.
Have a HUGE year through Yahoo! Small Business.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
