The details for the signature " TCP.Stealth.Activity" has been updated today give more details of what exactly the signature does. The link again: http://www.fortiguard.com/encyclopedia/vulnerability/tcp.stealth.activity.html For a signature specifically targeted for TCP split handshake, will probably be released within the next few days.

Nice and clear document about this: http://www.breakingpointsystems.com/default/assets/File/white%20papers/tcp-three-way-split-handshake.pdf

Looks like Fortinet released a formal response to the NSS labs test, for which they say the FG is not vulnerable to the split attack. I tried to post the report, but forums wont allow the pdf to be uploaded. If you are interested.. email me: dubbsix@gmail.com

There are no smoke and mirrors, imho. Some of you guys are misunderstanding responses by Fortinet to the articles. Tcp.Stealth.Activity has been in the sensor list since 2006 and if enabled by you on your equipment, it will protect you from this type of attack. Fortinet is releasing an updated (most likely in name only) IPS signature that will probably be set to " drop" by default but you will still be required to apply the sensor to your policies. Without getting into a long debate about this, I personally think the " test" was BS. Who takes a firewall out of the box, and without any real understanding of how the vendor implements protection, runs tests on them? From what I gathered, there were no UTM sensors applied to the firewall. Seriously, that' s what companies pay people like us to do. It' s no wonder most of the vendors failed this test. Where I think Fortinet failed in this is documenting how to combat this type of attach. It should be in their Network Defense section of the UTM guide. Anyway, I opened up a web ticket (P3) with them last week related to this and received all kinds of response within an hour. This is what they had to say:

The existing IPS signature to protect customers against split handshake threat is Tcp.Stealth.Activity http://www.fortiguard.com/encyclopedia/vulnerability/tcp.stealth.activity.html IPS Team will be releasing a specific signature named TCP.Split.Handshake to mitigate the same threat with updated description in the FortiGuard site soon.

in which I replied:

How would you generally implement this protection. Essentially, I have no firewall policies from external to internal (except for the SSL VPN policy) and have a select few from external to dmz for our web/email/ftp servers. Would I apply the tcp.stealth.activity (or tcp.split.handshake when it' s released) to any/all policies from external to internal/dmz?

and he stated:

You are correct, you may apply the tcp.stealth.activity pre-defined signature in one IPS sensor, then apply this IPS sensor to all policies allowing the inbound traffic.

And then I asked the question in that based on all the articles I read about this problem, why did Fortinet only listed the IPS signature as a " Low" issue instead of High or Critical. Their IPS team replied to my ticket with:

The " TCP Split Handshake" just is an evasion technology; it doesn’t exploit any vulnerability directly. The signature Tcp.Stealth.Activity detects the stealth activities of TCP protocol, include the TCP Split Handshake. So we set the severity with low.

I felt satisfied with their response and implemented tcp.stealth.activity on all my IPS sensors with the action of Drop like they recommend. I suspect they will add it to their UTM Guide in the section of Network Defense the next time they publish that document.

Anyway, I opened up a web ticket (P3) with them last week related to this and received all kinds of response within an hour.

Thanks for sharing that info. Most welcome. Also nice to know they responded quickly to your queries regarding this :)

Is the new IPS signature TCP.Split.Handshake only for 4.3? http://blog.fortinet.com/fortinet-responds-to-nss-labs-public-firewall-test/ I do not see it on my FG200B 4.2.2

Hi, the IPS signature has been there for quiet some time and should be available at in every FortiOS 4! (Actually even FortiOS3... ) With 4 MR2 Patch 6 this TCP vulnarability has been fixed at firewall level! best regards, Roman