Penetration Testing mailing list archives
RE: Symantec SGS Gateway Firewall DoS vulnerability
From: Clone <c70n3 () yahoo co in>
Date: Tue, 4 Dec 2007 07:15:31 +0000 (GMT)
Well we have been fiddling with some configurations in SGS but haven't blocked DoS so far. The vendor says we need to add some more config. We will do that on further resposne. Meanwhile an INTERESTING observation. The windows machines in this network even when not connected physically or virtually to the network open a connection on giving "telnet 192.168.1.101 25" or any IP Address. I test the same thing in my network and it doesn't happen in windows machines here. Any idea with this. Looks like a Windows specific issue. --- Paul Melson <pmelson () gmail com> wrote:
The issue is when you scan (nessus/nmap) a networkwith Symantec SGS as the firewall configuredin application proxy mode, the firewall shows evennon-existent IP addresses and ports to beopen and live. This results in firewall reachingit's maximum allowable connection limit injust 2 to 3 minutes and network access throughfirewall getting choked up.Things start working well again as you stop thescan. SGS appliances were based on Symantec Enterprise Firewall, formerly known as Raptor. It's a proxy firewall, so port scans give all sorts of erroneous results. It's also capable of detecting and thwarting port scans and DoS attacks like synfloods. If you can demonstrate that, with these prevention options enabled, that performing a scan of the firewall causes disruption to other traffic not to/from the scanning IP address, then it's probably an issue. Otherwise, I don't think you've found anything.I'm pretty sure this is a serious issue andSymantec is not ready to accept it. And I wouldn't expect them to. SGS/SEF are no longer being developed or sold and will be EOL at the end of 2009. At this point, your clients need to plan to replace them anyway. If you also do firewall design & support, it sounds like an opportunity. :-) PaulM
Bring your gang together - do your thing. Go to http://in.promos.yahoo.com/groups ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- RE: Symantec SGS Gateway Firewall DoS vulnerability Clone (Dec 06)