Re: nmap brings CheckPoint Firewall-1 down

[Dan White <dwhite () securecommercesystems com>]

Hi Marc,

Did your Nokia Checkpoint FW-1/VPN-1 have SmartDefense turned on?

Dan White
Secure Commerce Systems

---- Matt Hargett <matt () use net> wrote:
> Marc Ruef wrote:
> > Has somebody else seen such a behavior and know how to re-configure FW1, Nessus and/or nmap to get a stable 
> > environment for the usual Nessus testing? A possible workaround would be to de-activate nmap/postscanning within 
> > the Nessus testing. But this does not eliminate the danger of such a weak installation as it tends to be in place. 
> > One of our workaround approach was to optimize the FW1 configuration. First of all we implemented a connection 
> > limit to 100 connections per host. This made some really nasty false negatives during the mapping, nmap and Nessus 
> > scanning. Furthermore we implemented SYN flood detection to 100 half-open connections. This was able to prevent the 
> > full DoS. But partially a timeout could be detected. A full break-down of the firewalls was not possible anymore. 
> > False negatives are still given.
>
> I saw similar behaviour in several different firewall and VPN products 
> using nmap and isic while working at a job in 1998. There were bugs in 
> the code -- no configuration seemd to help things.
>
> In one case, their connection-state table in kernel memory grew 
> unchecked, causing the kernel to run out of nonpaged memory, and 
> resulting in a null pointer reference after kmalloc() started failing.
>
> Check out my slides from defcon 7 or 8 about testing, it is still very 
> effective from what I have seen.
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev