SonicWall NSA 240 stateful investigation verification with nmap and tcpdump for pci
Item 1. 3. 6 of PCI DSS is this. Verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in. and only if they are associated with a previously established sesion purchase cheap canada goose men's utility gloves . )
According to nmap documentation, canada goose bomber jacket for sale . you can test for a stateful packet inspection firewall by using the following command cheap canada goose men's utility gloves . In my example cheap canada goose men's utility gloves online shop . I’m testing port 443 (https) as I know that it is an open port cheap canada goose men's utility gloves . -Pn tells nmap to NOT run the ping test purchase cheap canada goose men's utility gloves . and -sA tells nmap to send an ACK packet.
# nmap -Pn -sA -p 443 #. #. #. #
nmap discussions I’ve read state that an “unfiltered” response indicates a stateless firewall cheap canada goose men's utility gloves . and a “filtered” response indicates a stateful firewall. Unfortunately. nmap lists my firewall’s response as “unfiltered” or stateless. This leads me to believe that the NSA 240 is NOT an stateful firewall, replica canada goose winter coats outlet online .
If I do a tcpdump on the source system that is running nmap. I’ll see that an ACK is sent cheap canada goose men's utility gloves 2015 . and that an RST is returned from the target system. All this leads me to believe that the NSA 240 is stateless canada goose mens expedition parka white outlet . and is allowing the RST’s to come back from the target system.
However, canada goose sale hoofddorp store online . if I do a tcpdump of port 443 on the target system canada goose gta outlet . I see absolutely NO packets from the source system.
I believe that the SonicWall NSA 240 is responding with the RST packet without actually forwarding the ACK packet to the target system.
So I’m sitting here wondering if nmap can accurately tell whether a system is stateful or stateless canada goose parka norway store online . Just because an RST packet is returned dark grey canada goose jacket outlet store . doesn’t necessarily mean it is coming from the target system.
Conclusion cheap canada goose men's utility gloves . I’m going to log a ticket with SonicWall to clarify this issue for me. And for now. I’m going to use the empty tcpdump log from the target system to verify that the NSA 240 is stateful. This should allow us to pass the PCI 1. 3. 6 check. But I still want an answer from SonicWall as to why it is responding with an RST packet.