Risk of enable TCP Session Without Syn

arie_arie · ‎05-14-2024

Hi,

I need to understand the risks of enabling tcp-session-without-syn for asymmetric environment. Can someone help to explain to me all the risks if I enable this?

Thank you

ozkanaltas · ‎05-14-2024

Hello @arie_arie ,

Normally, a TCP session starts with a three-way handshake, beginning with a SYN (synchronize) packet. This ensures both sides are aware of the connection and establishes initial sequence numbers for data transmission.Enabling "tcp-session-without-syn" is risky because it bypasses the normal SYN packet handshake in TCP connections. This makes it easier for attackers to hijack sessions, perform replay attacks, confuse connection states, and bypass security measures, thereby compromising network security.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

AEK · ‎05-14-2024

Hi Arie

In addition to Atlas' explanation, please check this two tech tips.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-the-FortiGate-behaves-when-asymmetric-...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-the-routing-decision-regardi...

Also let me add, if you need to enable asymmetric routing this should mean that your design still needs improvement because you don't have full control on security.

At lease try use FGSP and/or auxiliary sessions that give more security control comparing with asymmetric sessions.

AEK

View solution in original post

ozkanaltas · ‎05-14-2024

Hello @arie_arie ,

Normally, a TCP session starts with a three-way handshake, beginning with a SYN (synchronize) packet. This ensures both sides are aware of the connection and establishes initial sequence numbers for data transmission.Enabling "tcp-session-without-syn" is risky because it bypasses the normal SYN packet handshake in TCP connections. This makes it easier for attackers to hijack sessions, perform replay attacks, confuse connection states, and bypass security measures, thereby compromising network security.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

AEK · ‎05-14-2024

Hi Arie

In addition to Atlas' explanation, please check this two tech tips.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-the-FortiGate-behaves-when-asymmetric-...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-the-routing-decision-regardi...

Also let me add, if you need to enable asymmetric routing this should mean that your design still needs improvement because you don't have full control on security.

At lease try use FGSP and/or auxiliary sessions that give more security control comparing with asymmetric sessions.

AEK

arie_arie · ‎05-14-2024

Hi,

How about the UTM inspection in FortiGate? does the UTM inspection still work when enabling tcp-session-without-syn?

Thank you

AEK · ‎05-14-2024

I don't think so. Without SYN there should be no UTM inspection for that sessions.

AEK

arie_arie · ‎05-14-2024

Hi,

Thank you for the insight about the feature risk.

If I have 1 FortiGate with 2 uplinks to ISP, where the traffic outgoing to ISP-1 and return traffic going to ISP-2, do I need to enable tcp-session-without-syn to prevent traffic drop of different interface in FortiGate?

Thank you

AEK · ‎05-15-2024

You may enable auxiliary sessions, this will keep UTM in this case.

There any many tech tips about auxiliary sessions but you can start here.

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/14295/controlling-return-path-with-a...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SD-WAN-Auxiliary-Sessions/ta-p/229467

AEK

Risk of enable TCP Session Without Syn

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website