RE: Symantec SGS Gateway Firewall DoS vulnerability

From: Clone (c70n3@yahoo.co.in)
Date: Tue Dec 04 2007 - 02:15:31 EST

• Next message: Sutton, Paul A.: "RE: Scanning a system with HIPS installed?"
• Previous message: Clone: "SMTP Pen Test"
• In reply to: Paul Melson: "RE: Symantec SGS Gateway Firewall DoS vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Well we have been fiddling with some configurations in
SGS but haven't blocked DoS so far. The vendor says we
need to add some more config. We will do that on
further resposne.

Meanwhile an INTERESTING observation. The windows
machines in this network even when not connected
physically or virtually to the network open a
connection on giving "telnet 192.168.1.101 25" or any
IP Address. I test the same thing in my network and it
doesn't happen in windows machines here.

Any idea with this. Looks like a Windows specific
issue.
 
--- Paul Melson <pmelson@gmail.com> wrote:

> > The issue is when you scan (nessus/nmap) a network
> with Symantec SGS as
> the firewall configured
> > in application proxy mode, the firewall shows even
> non-existent IP
> addresses and ports to be
> > open and live. This results in firewall reaching
> it's maximum allowable
> connection limit in
> > just 2 to 3 minutes and network access through
> firewall getting choked up.
> > Things start working well again as you stop the
> scan.
>
> SGS appliances were based on Symantec Enterprise
> Firewall, formerly known as
> Raptor. It's a proxy firewall, so port scans give
> all sorts of erroneous
> results. It's also capable of detecting and
> thwarting port scans and DoS
> attacks like synfloods. If you can demonstrate
> that, with these prevention
> options enabled, that performing a scan of the
> firewall causes disruption to
> other traffic not to/from the scanning IP address,
> then it's probably an
> issue. Otherwise, I don't think you've found
> anything.
>
>
> > I'm pretty sure this is a serious issue and
> Symantec is not ready to
> accept it.
>
> And I wouldn't expect them to. SGS/SEF are no
> longer being developed or
> sold and will be EOL at the end of 2009. At this
> point, your clients need
> to plan to replace them anyway. If you also do
> firewall design & support,
> it sounds like an opportunity. :-)
>
> PaulM
>
>

      Bring your gang together - do your thing. Go to http://in.promos.yahoo.com/groups

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Sutton, Paul A.: "RE: Scanning a system with HIPS installed?"
• Previous message: Clone: "SMTP Pen Test"
• In reply to: Paul Melson: "RE: Symantec SGS Gateway Firewall DoS vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:14 EDT