Re: Raptor Firewall

["Alex Butcher (pentest)" <pentest () cocoa demon co uk>]

On Fri, 7 Dec 2001, Stuart wrote:

> We've run a pentest against a customer recently and found that the very act
> of port scanning their Raptor firewall (running on NT) crippled its ability
> to accept incoming connections for their web site. The firewall is a new
> high spec PIII and the least line is a decent size. The nmap scans were
> standard timing (not T5 or anything daft) - once the scans were stopped,
> things burst back in to life within about 10minutes.

I experienced similar issues when scanning hosts behind a client's 
Watchguard firewall. I (together with some help from this list) put it 
down to built-in automatic IDS/blackholing of "naughty" hosts. I tried to 
get the client to disable the functionality, but either it isn't possible 
to disable completely, or...

I've never (knowingly) managed to break a Raptor FW in this way - usually 
all I see is the same open port profile for all hosts and looking to the 
world like some strange cross between NT and some flavour of UNIX. :)

> thanks
> Stuart
> IT Security Consultant, UK

Best Regards,
Alex.
-- 
Alex Butcher         Brainbench MVP for Internet Security: www.brainbench.com
Berkshire, UK      Is *your* company hiring UNIX/Security/Pen. testing folks?
PGP/GnuPG ID:0x271fd950                      http://www.cocoa.demon.co.uk/cv/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/