« June 2004 | Main | August 2004 »

July 30, 2004

Virtual Fragmentation Reassembly

The Virtual Fragmentation Reassembly (VFR) is important Firewall feature for identify the contents of the IP fragments. without VFR causes most of fragments packets pass through the firewall without any access control.many vendors have implemented VFR feature like Cisco and NetScreen.in this Case we focus about the Cisco PIX firewall and IOS Firewall feature set.The Fraguard is one of Cisco guards (like DNS,Mail and so on) and enhanced IP fragment protection from version 5.1 it performs full reassembly all ICMP Error messages and virtual fragmentation of the reminding IP fragments that Routed through the PIX firewall.

Also from version 5.1 the PIX check two additional security check on IP packet in addition to the security check Recommended by RF 1858 against the many IP fragment-style attacks: teardrop, tiny, land, and so on.

The first security check requires that each non-initial IP fragment (all fragments within a fragment set. except the initial fragment) be associated with an already-seen valid initial IP fragment (First fragment within a fragment set, this fragment should have a layer 4 header and should have an offset of zero). As of PIX OS version 5.1, an initial fragment is not required. This is because fragments may arrive out of order. For the second security check, IP fragments are rated 100 full IP fragmented packets per second to each internal host.

Also VFR is responsible to detecting and preventing Tiny fragment attack, Overlapping fragment attack and Buffer overflow attack in Cisco IOS feature set but there are some restriction that you can see the following :


Performance Impact :

VFR will cause a performance impact on the basis of functions such as packet copying, fragment validation, and fragment reorder. This performance impact will vary depending on the number of concurrent IP datagram that are being reassembled.


VFR Configuration Restriction:

VFR should not be enabled on a router that is placed on an asymmetric path. The reassembly process requires all of the fragments within an IP datagram. Routers placed in the asymmetric path may not receive all of the fragments, so the fragment reassembly will fail.


SIP and RTSP Limitation:

The Session Initiation Protocol (SIP) and the Real-Time Streaming Protocol (RTSP) do not have the ability to parse port information across noncontiguous buffers. Thus, virtual fragmentation reassembly may fail. (If the application fails, the session will be blocked.)

Posted by Mehrdad at 06:10 PM

July 17, 2004

Wrapped Sequence

Have you thought about sequence wrapped (cycled) in TCP connection yet?
In fact it can threaten TCP reliablity if we have high transfer rate , the sequence numbers may eventually be reused in the same connection at the short time and it causes duplicate sequence numbers.
we need a life time for segment which it should be shorter than the time it takes to cycle the sequence space.The maximum segment lifetime (MSL) defined 2^31 / B > MSL (secs) , B is bandwidth byte per second for prevent wrapped sequence .

you can see the following table which explains MSL for some important bandwidth :

Network B*8 B Twrap
bits/sec bytes/sec secs
_______ _______ ______ ______

ARPANET 56kbps 7KBps 3*10**5 (~3.6 days)

DS1 1.5Mbps 190KBps 10**4 (~3 hours)

Ethernet 10Mbps 1.25MBps 1700 (~30 mins)

DS3 45Mbps 5.6MBps 380

FDDI 100Mbps 12.5MBps 170

Gigabit 1Gbps 125MBps 17

Posted by Mehrdad at 10:32 PM

July 13, 2004

TCP Tahoe and Reno

Sometime when you read about TCP you'll see some TCP variant , in fact because there are some algorithm for instance Tahoe,Reno,New-Reno & so on.
I'll explain the much brief of Tahoe and Reno but if you're interested in so i recommend that read the details.Tahoe by Jacobson assumed the one way of detecting a loss packet in TCP is using timeout, it known as the round trip time (RTT) which named Retransmit time out (RTO).if the ack isn't received before this RTO then the sender should be sure that the packet is lost and must
retransmit. another way to detect loss packet in TCP Tahoe is sending duplicate acknowledgments, it means when the receiver don't get packet sequence n , it send duplicate acknowledgments for that sequence number.
Typically, after two acknowledgments TCP Tahoe knows the packet is lost and after three acknowledgments it retransmit the packet to the receiver.
This algorithm is called Fast Retransmit and it doesn't deal when more than one packets lost within a single window of data.

TCP Reno improvements over Tahoe by changing the way. The idea is that the only way for a loss to be detected via a timeout and not via the receipt of a duplicate ack is when the flow of packets and acks has completely stopped also Reno introduce a mechanism called Fast recovery which governs the re-transmission of new data until non-duplicate acks are received.

Posted by Mehrdad at 05:51 PM

July 12, 2004



They're good people :-), and do lot of work to keep network up all the time.
I think sometime they live like commando ! ;-) can you guess we're talking about who?
Yes, exactly they're network administartors.
People only notice network administrators when something goes wrong (bad latency or something like that) but when the network work properly ,no one thinking about them totally!
Anyway, please don't forget Friday,july 30th 2004 , it's System administrator appriciation day include: Network,Computer,Webmaster,Telephone(PBX),Voice-Mail,Database,Email administrators.
you can send ecard for them from

Posted by Mehrdad at 03:12 PM

July 10, 2004

Internet Explorer Still Vulnerable


Last night I read about vulnerabilty news for Microsoft Internet Explorer again that one person uncover it.that's same as Download.Ject which patched before that with Microsoft but it didn't go far enough.
By visiting a malicious website with the Internet Explorer web browser, users can become silently infected with arbitrary code that is embedded in images! on web pages. Once installed, the code begins to log keystrokes and then calls home to servers which then upload even more payload onto infected systems.
This attacked called Download.Ject.
anyway i'm using Firefox and before that i used to Firebird, you can download it from http://www.mozilla.org/ , it's free and certain user friendly.

Posted by Mehrdad at 09:13 PM

Total solution box


Sometime you need total solution for your network which connects to the Internet particularly for small or medium office , it means not enterprise but
Maybe you want.
You think about IDS,Firewall,Antivirus,NAT,VPN and so on but how much do you
Have budget for your solution, if you want to buy everything then you should pay for them a lot of money.it's not cost effective.

The fortigate is a product of the Fortinet that's total solution for your network.
Recently i've configed it for a network contain 70 clients in the building with 6
Floors,it connects to the internet by wireless connection with around 2M bits/s Bandwidth.

See the following feature that it's doing in that building with the FortiGate-60:

- Intrusion Detection and Prevention (Live update)
- Firewall (with 3 zone : Inside,Outside and DMZ)
- Anti Spam
- Anti Virus (Live update)
- IP Virtual
- Content Filtering
- MAC binding (you can bind a ip address with a MAc address)
- Traffic shaping
- Auditing and reporting

In-fact it has many features like VPN that i didn't use it but it can.
they said about powerful ASIC that they are using with their OS which named
FortiOS. for more information you can see their web site at www.fortinet.com or
If you have question about this box , feel free to contact me.

Posted by Mehrdad at 08:11 AM