Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Symantec SGS Gateway Firewall DoS vulnerability

from [Clone] Network Security [Permanent Link]
Subject: RE: Symantec SGS Gateway Firewall DoS vulnerability
Date: Tue, 4 Dec 2007 07:15:31 +0000 (GMT) 
Well we have been fiddling with some configurations in
SGS but haven't blocked DoS so far. The vendor says we
need to add some more config. We will do that on
further resposne.

Meanwhile an INTERESTING observation. The windows
machines in this network even when not connected
physically or virtually to the network open a
connection on giving "telnet 192.168.1.101 25" or any
IP Address. I test the same thing in my network and it
doesn't happen in windows machines here.

Any idea with this. Looks like a Windows specific
issue. 
 
--- Paul Melson <pmelson@gmail.com> wrote:


The issue is when you scan (nessus/nmap) a network

with Symantec SGS as
the firewall configured 

in application proxy mode, the firewall shows even

non-existent IP
addresses and ports to be 

open and live. This results in firewall reaching

it's maximum allowable
connection limit in 

just 2 to 3 minutes and network access through

firewall getting choked up.

Things start working well again as you stop the

scan.

SGS appliances were based on Symantec Enterprise
Firewall, formerly known as
Raptor.  It's a proxy firewall, so port scans give
all sorts of erroneous
results.  It's also capable of detecting and
thwarting port scans and DoS
attacks like synfloods.  If you can demonstrate
that, with these prevention
options enabled, that performing a scan of the
firewall causes disruption to
other traffic not to/from the scanning IP address,
then it's probably an
issue.  Otherwise, I don't think you've found
anything.



I'm pretty sure this is a serious issue and

Symantec is not ready to
accept it.

And I wouldn't expect them to.  SGS/SEF are no
longer being developed or
sold and will be EOL at the end of 2009.  At this
point, your clients need
to plan to replace them anyway.  If you also do
firewall design & support,
it sounds like an opportunity. :-)

PaulM






      Bring your gang together - do your thing. Go to 
http://in.promos.yahoo.com/groups


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: Symantec SGS Gateway Firewall DoS vulnerability, Clone <=
Previous by Date:  SMTP Pen Test, Clone
Next by Date:  RE: Scanning a system with HIPS installed?, Sutton, Paul A.
Previous by Thread:  SMTP Pen Test, Clone
Next by Thread:  The first release of SWFIntruder is out !, Stefano Di Paola
Indexes:  [Date] [Thread] [Top] [All Lists]