News: Symantec warns of firewall flaw
Researchers have discovered a flaw in Symantec's Raptor firewall that could allow attackers to hijack legitimate communications with a protected system.

The vulnerability lies in the way the software creates and uses random numbers--called TCP Initial Sequence Numbers--for each new connection. In order to speed performance, the system reuses the same number for connections coming from the same source IP address and TCP port for a short time after the initial connection is closed, researchers said. During this period, an attacker could use the IP address and TCP information for an earlier, legitimate connection and create a new, unauthorized connection, a technique called "spoofing".

This connection would appear to be coming from an address other than that of the real source, and could be used to carry out an attack. In addition, researchers said that the way the ISN is generated is not random enough. "A weakness in the generation of these ISNs could allow a remote attacker to easily predict the sequence numbers for a certain session," said Kristof Philipsen, a security engineer with e-security firm Ubizen Luxembourg, which discovered the flaw

The systems affected are:
· Raptor Firewall 6.5 for Windows NT
· Raptor Firewall V6.5.3 for Solaris
· Symantec Enterprise Firewall 6.5.2 for Windows 2000 and NT
· Symantec Enterprise Firewall V7.0 for Solaris
· Symantec Enterprise Firewall 7.0 for Windows 2000 and NT
· VelociRaptor Model 500/700/1000
· VelociRaptor Model 1100/1200/1300
· Symantec Gateway Security 5110/5200/5300
http://zdnet.com.com/2100-1105-948579.html