Need advice on firewall situation
Results 1 to 6 of 6

Thread: Need advice on firewall situation

  1. #1
    Junior Member
    Join Date
    Apr 2006
    Posts
    20

    Question Need advice on firewall situation

    OK here is a situation that I need some clarity on. We run Symantec Client Services (SCS) on all of our computers. This is a firewall, IDS, Anti-Spyware, and Antivirus all in one program. This is what my company decided to go with, good or bad. Here is the thing, if I am on computer A and start throwing suspicious packets to computer B then, computer B (because of the IDS in SCS) will block the IP address to computer A for 30 minutes. This is a good thing but I feel that this can be a form of DOS.

    Let’s say that the email server was compromised (got a bad NIC or NIC driver) and started throwing out packets to the whole subnet. Then all computers will then ban the email server for 30 minutes and no one will be able to get their email.

    Or how about someone got on the network and started throwing out suspicious packets with the IP address of the domain controllers, I think that this will then put the IP addresses of the domain controllers in the band list for 30 minutes. I feel that this can create an easy denial of server attack on our network.

    I am not on the Software committee that is setting up this software for deployment. I was talking to my coworker saying that this is how I would start a DOS within my company. Is this something that we should be worried about?

    -GA
    Jive Lady: Jus\' hang loose, blood. She gonna catch ya up on da\' rebound on da\' med side.
    Second Jive Dude: What it is, big mama? My mama no raise no dummies. I dug her rap!
    Jive Lady: Cut me some slack, Jack! Chump don\' want no help, chump don\'t GET da\' help! Jive ass dude don\'t got no brains anyhow! Hmmph!

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The functionality you are referring to is more along the lines of Intrusion Prevention, (IPS), rather than Intrusion Detection. I have yet to come across an IPS that does not run some risk of DoS... It's the nature of the beast.

    Your risk assessment should indicate whether the risk of the DoS is outweighed by the potential for an unknown compromise by a worm or similar threat. It's one of those "damned if you do, damned if you don't" issues really but somewhere in there it must be configurable.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    I don't know if it's something to be worried about so much as something you'll have to learn to live with. It sounds like you'll find out when rogue packets are flyin' around your LAN.

    I'd throw a Linux box on your network (if you can) and run some monitoring software like Ethereal and Etherape to get a baseline on normal traffic. Then if you have a problem, you can quickly determine the source.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Originally posted here by brokencrow
    I'd throw a Linux box on your network (if you can) and run some monitoring software like Ethereal and Etherape to get a baseline on normal traffic. Then if you have a problem, you can quickly determine the source.
    I'd be running it on FreeBSD.. but everyone's entitled to his/her opinion..

    I wouldn't run Ethereal.. That would mean a GUI (yes, yes, I know.. tethereal) .. I'd use the "plain" tcpdump (comes with the base install of fbsd), you can always load the pcap file in Ethereal when needed.. Heck, while you're at it why not install snort too?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Junior Member
    Join Date
    Apr 2006
    Posts
    20
    Thanks for the info; I thought that this was something that I could not get around. I understand that I want to make sure that there are no attacks on the user environment. If there is a rouge computer sending out bad packets on purpose to DOS one of the servers then our network monitoring devices should catch that.

    I just wanted to make sure that I wasn’t missing anything.

    -GA
    Jive Lady: Jus\' hang loose, blood. She gonna catch ya up on da\' rebound on da\' med side.
    Second Jive Dude: What it is, big mama? My mama no raise no dummies. I dug her rap!
    Jive Lady: Cut me some slack, Jack! Chump don\' want no help, chump don\'t GET da\' help! Jive ass dude don\'t got no brains anyhow! Hmmph!

  6. #6
    Junior Member
    Join Date
    Jun 2006
    Posts
    5
    If the email server and client are on the same network, you could just tell the IPS to not ban that ip for very long or even at all. Having a computer on the network strickly for sniffing and various other IDS like tasks would probably be the easiest way to do it. If you are that worried about it have some sort of program monitoring the intra-lan and internet speeds to check for a steep rise, look in the IPS for something like a warning when u ban an IP.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •