Re: Symantec Gateway Security
From: Chad Skipper (cskipper@symantec.com)Date: 06/19/02
- Previous message: Garbrecht, Frederick: "RE: syslog management"
- Maybe in reply to: Dante Mercurio: "Symantec Gateway Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Dante Mercurio" <dmercurio@ccgsecurity.com> From: "Chad Skipper" <cskipper@symantec.com> Date: Wed, 19 Jun 2002 16:00:22 -0500
Dante
I am the QA Manager for the IDS portion of the Symantec Gateway Security
appliance. I don't want to start a lengthy thread on this issue - but I do
think your question deserves an informed response.
Signatures - 78
Type - Atomic
You can enable or disable each signature. Meaning alert or do not alert.
You can gate or non-gate each signature - Gated sends a message to drop the
remaining packets for that session on which the signature was alerted.
Non-Gated means alert but do not drop.
The product does not yet have a Custom signature editing capability.
As far as a DoS because of forged packets - We using a technique that we
call squelching. If a signature alerts more than X times during a given
time period we then discontinue alerting.
Signatures pushed down from LiveUpdate are enabled, however we look at the
config file before LiveUpdate and DO NOT over write any custom
configurations.
Symantec Gateway Security is the first comprehensive gateway protection
solution that addresses the unique security needs of small and medium-sized
offices by combining five essential network security functions in a single,
easy-to-manage appliance. The fully integrated rack-mountable unit protects
against today's multi-faceted security threats through a unique combination
of state-of-the-art firewall, anti-virus, Internet content filtering,
intrusion detection, and virtual private networking technologies.
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=133&PID=11670364&EID=0
Thanks,
Chad R. Skipper
Manager, SQA Engineering
Symantec Corp
|---------+---------------------------->
| | "Dante Mercurio" |
| | <dmercurio@ccgsec|
| | urity.com> |
| | |
| | 06/19/2002 11:02 |
| | AM |
| | |
|---------+---------------------------->
>--------------------------------------------------------------------------------------------------------------------------------------------------|
| |
| To: <focus-ids@securityfocus.com> |
| cc: |
| Subject: Symantec Gateway Security |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
I have a customer interested in this device because of it's all
encompassing border security features, including IDS. I have never
installed one of these so this information is here-say from a symantec
engineer. According to him, the IDS on this device has about 80
signatures, and they can directly change security policy by adding
blocked IP's to the device. Either the rules are on, or off. In
addition, there is no way to add exceptions to this (like root DNS), and
no way to edit the block time. It would appear that a DOS on this system
would be very easy with forged packets once you know what signatures
it's using. In addition, the signatures are updated with their Live
Update subscription. Anyone know if this means the signatures pushed
down are automatically enabled?
Anyone have any further info on this device? Should I steer my customer
away from it?
M. Dante Mercurio, CCNA, MCSE+I, CCSA
dmercurio@ccgsecurity.com
Consulting Group Manager
Continental Consulting Group, LLC
www.ccgsecurity.com
- Previous message: Garbrecht, Frederick: "RE: syslog management"
- Maybe in reply to: Dante Mercurio: "Symantec Gateway Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
