RE: Symantec SGS Gateway Firewall DoS vulnerability

From: "Paul Melson" <pmelson@xxxxxxxxx>
Date: Mon, 19 Nov 2007 16:32:35 -0500

The issue is when you scan (nessus/nmap) a network with Symantec SGS as

the firewall configured

in application proxy mode, the firewall shows even non-existent IP

addresses and ports to be

open and live. This results in firewall reaching it's maximum allowable

connection limit in

just 2 to 3 minutes and network access through firewall getting choked up.
Things start working well again as you stop the scan.

SGS appliances were based on Symantec Enterprise Firewall, formerly known as
Raptor. It's a proxy firewall, so port scans give all sorts of erroneous
results. It's also capable of detecting and thwarting port scans and DoS
attacks like synfloods. If you can demonstrate that, with these prevention
options enabled, that performing a scan of the firewall causes disruption to
other traffic not to/from the scanning IP address, then it's probably an
issue. Otherwise, I don't think you've found anything.

I'm pretty sure this is a serious issue and Symantec is not ready to

accept it.

And I wouldn't expect them to. SGS/SEF are no longer being developed or
sold and will be EOL at the end of 2009. At this point, your clients need
to plan to replace them anyway. If you also do firewall design & support,
it sounds like an opportunity. :-)

PaulM

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

References:
- Symantec SGS Gateway Firewall DoS vulnerability
  - From: Attari Attari

Prev by Date: RE: Oracle SQL Injection vulnerability
Next by Date: RE: Oracle SQL Injection vulnerability
Previous by thread: Symantec SGS Gateway Firewall DoS vulnerability
Index(es):
- Date
- Thread

Relevant Pages

Re: keeping ports open
... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
(microsoft.public.security)
Re: How to Maintain an IIS Server?
... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
(microsoft.public.inetserver.iis.security)
Re: CEICW fails at firewall config
... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
(microsoft.public.windows.server.sbs)
Re: How to Maintain an IIS Server?
... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
(microsoft.public.inetserver.iis.security)
Re: Is secedit.exe left by a hacker?
... > tested on port 445. ... > I have a Linksys router that I use as a firewall to my ... Secedit.exe is the name of a legitimate Windows file, ... investigate the files on your computer - antivirus with the latest updates ...
(microsoft.public.win2000.security)