Penetration Testing mailing list archives
RE: Symantec SGS Gateway Firewall DoS vulnerability
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 19 Nov 2007 16:32:35 -0500
The issue is when you scan (nessus/nmap) a network with Symantec SGS as
the firewall configured
in application proxy mode, the firewall shows even non-existent IP
addresses and ports to be
open and live. This results in firewall reaching it's maximum allowable
connection limit in
just 2 to 3 minutes and network access through firewall getting choked up. Things start working well again as you stop the scan.
SGS appliances were based on Symantec Enterprise Firewall, formerly known as Raptor. It's a proxy firewall, so port scans give all sorts of erroneous results. It's also capable of detecting and thwarting port scans and DoS attacks like synfloods. If you can demonstrate that, with these prevention options enabled, that performing a scan of the firewall causes disruption to other traffic not to/from the scanning IP address, then it's probably an issue. Otherwise, I don't think you've found anything.
I'm pretty sure this is a serious issue and Symantec is not ready to
accept it. And I wouldn't expect them to. SGS/SEF are no longer being developed or sold and will be EOL at the end of 2009. At this point, your clients need to plan to replace them anyway. If you also do firewall design & support, it sounds like an opportunity. :-) PaulM ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Symantec SGS Gateway Firewall DoS vulnerability Attari Attari (Nov 19)
- RE: Symantec SGS Gateway Firewall DoS vulnerability Paul Melson (Nov 19)