Re: AW: Online Banking Issues
- From: "William Holmes" <wtholmes@xxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 26 Jun 2003 15:13:16 -0400
Hello,
This issue happens when the don't defragment bit is set, and MTU path
discovery is unavailable due to uninformed firewall administrators who
think "ALL ICMP IS BAD". There are certainly ICMP based attacks but they
don't warrent completly killing off ICMP.
What would be nice is for VPNs to simply (within the tunnel) ignore the
don't defragment bit, or to have a DHCP option that could be used to set
the Max MTU size for the local network. It is possible to set the MTU
for an interface to somthing under 1400 and eliminate this problem
(Q120642) but it is not ideal.
Bill
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, June 26, 2003 10:32 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: AW: Online Banking Issues
http://www.ISAserver.org
Hi John,
Excellent info! Someone else brough up the PMTU discovery issue for his
university network, which created its own problems. I stand corrected on
this issue :)
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
Sent: Thursday, June 26, 2003 9:23 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: AW: Online Banking Issues
http://www.ISAserver.org
> This is what I am suspecting, and I have no problem making a registry
=
change for
> the oddball site, or a config file change if needed for the = same
thing,
but for
> national banking firms, they better get their = 'stuff' strait. They
still
say they are
> working with Microsoft to get it = fixed. I'll let the group know when
they get it fixed,
> and what they did = if they will tell me.
Before we shoot the site programmers, it may not be entirely there
fault.
I still have a suspicion that it is more of a security firewall issue.
Here is my conclusion on the issue I was working on for a client a month
ago:
"05/19/03 6:00 PM Case wrapup. It appears this issued was caused by a
change in the way WellsFargo does a security check on the inbound
packets. The SonicWall is set to fragment outgoing packets at 1404 to
resovle a blackhole router issue setting up VPN with Toronto, that was
done in December of 2001. Normally then, if the client does not discover
the recipient MTU, the firewall will repackage the packets to the small
size. I received more information about this from the Imail Forum group
where one person said they are probably blocking ICMP Code 3 Type 4
which would screw up the MTU path discovery, which would have allowed
the client to switch automaticly to a smaller MTU size. So, by forcing
the clients to use a MTU packet size of 1400, the outbound packets were
never fragmented, and thereby never changed. This also requires updates
Q810847 and Q813951 to be installed on the client."
So, if the client, or even their firewall/router, is not able to
discover the MTU path, and the packets are fragmented at some point, the
problem appears. This is also why the problem does not occur with
regular websites, only SSL where there is additional overhead added to
the packets.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wtholmes@xxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
