Link to home
Start Free TrialLog in
Avatar of Gary Connor, Phd.
Gary Connor, Phd.Flag for United States of America

asked on

Resolve "TCP/IP Predictable ISN (Initial Sequence Number) Generation Weakness" Vulnerability

I have a web server running on Windows 2012r2, IIS 8.5.  I just ran an external PCI scan and received a FAIL due to "isn (initial sequence number) generation access."  The server is on a DMZ subnet NAT'd to the outside through a CISCO ASA5512x.

Does anyone know how I can prevent "TCP/IP Predictable ISN (Initial Sequence Number) Generation Weakness" vulnerability on this configuration ??
SOLUTION
Avatar of Dan McFadden
Dan McFadden
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Gary Connor, Phd.

ASKER

While these are both good comments, I am running IOS 9.3(3)2, and the TCP Sequence Number Randomization is (and has always been) enabled.  I suspect this is a false positive by the ASV but getting Security Metrics to admit to their scanning error is a long and arduous task, so I thought I'd do additional due diligence and see if there were additional controls I could implement.  As far as my own external testing has shown, the ASA is doing it's job.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
harbor235 :} - Can you tell me what the current recommended version is for the ASA 5512x?  Also, I ran a packet analyzer from inside the firewall and from outside the firewall.  Inside the firewall I see sequential initial sequence numbers.  From outside (through the ASA) I see highly randomized initial sequence numbers on all open ports.  So the ASA is doing it's job, but I would still update to the recommended IOS just as a matter of good practice.  Thank you.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial