Gary Connor, Phd.
asked on
Resolve "TCP/IP Predictable ISN (Initial Sequence Number) Generation Weakness" Vulnerability
I have a web server running on Windows 2012r2, IIS 8.5. I just ran an external PCI scan and received a FAIL due to "isn (initial sequence number) generation access." The server is on a DMZ subnet NAT'd to the outside through a CISCO ASA5512x.
Does anyone know how I can prevent "TCP/IP Predictable ISN (Initial Sequence Number) Generation Weakness" vulnerability on this configuration ??
Does anyone know how I can prevent "TCP/IP Predictable ISN (Initial Sequence Number) Generation Weakness" vulnerability on this configuration ??
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
harbor235 :} - Can you tell me what the current recommended version is for the ASA 5512x? Also, I ran a packet analyzer from inside the firewall and from outside the firewall. Inside the firewall I see sequential initial sequence numbers. From outside (through the ASA) I see highly randomized initial sequence numbers on all open ports. So the ASA is doing it's job, but I would still update to the recommended IOS just as a matter of good practice. Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER