Wednesday, January 8, 2014

FollowUp to " A cisco ASA breaking a fortimail ( why friends don't let friends, buy a cisco ASA ) "

Here's a follow up to my earlier  "fortimail" issues and with the fortiguard lookup failures, that I discovered.

The problem was not with the  cisco ASA. So I owe the ASA an apology.

What fortinet did ( which is unbelievable from a security  company ); was to use a wellknow service port53 for it's queries. They  also claims the  looks up are rfc compliant btw. Will something is flawed, due to the ASA will drop these queries upon inspection.

To recap the issues;

1: they ( fortinet ) used a well-known port #53 for their  antispam rating queries

2: the queries do not match a true dns "query-formatted request"

3: so the ASA inspect inspection, see these as a badly constructed  dns lookup , & drop these request,s

4: this is what the cisco ASA should be doing btw ( not honoring the fortimail queries on port 53  if they are not constructed correctly )

Now we  have the means to rectify the issue, by  doing what I did;  " bypassing the  inspection for the fortimail appliances" , or   "we can change the query port of the fortiguard  servers".

The systems engineer @ fortinet that I spoken with, didn't seem overly concern,  " that using a well-known port  in a fashion and means  & different  than what it was intended for, was not considered a  big deal ".

FWIW,  Any device that does inspections for any layer7  DNS data,  and happens to be in the path of the appliance , could easily drop these incorrectly constructed  packets ( e.g  IPS, DDoS-inspection gear, SLB, etc....)

So in conclusion;

If your downwind of a cisco ASA, and that devices happens to   "inspect dns" . Disabling the dns inspections,  if you suspect it's dropping your fortiguard queries & re-monitor.

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   @  @  )=
       /     \

No comments:

Post a Comment