Need advice on firewall situation

[Golgi Apparatus]

OK here is a situation that I need some clarity on. We run Symantec Client Services (SCS) on all of our computers. This is a firewall, IDS, Anti-Spyware, and Antivirus all in one program. This is what my company decided to go with, good or bad. Here is the thing, if I am on computer A and start throwing suspicious packets to computer B then, computer B (because of the IDS in SCS) will block the IP address to computer A for 30 minutes. This is a good thing but I feel that this can be a form of DOS.

Let’s say that the email server was compromised (got a bad NIC or NIC driver) and started throwing out packets to the whole subnet. Then all computers will then ban the email server for 30 minutes and no one will be able to get their email.

Or how about someone got on the network and started throwing out suspicious packets with the IP address of the domain controllers, I think that this will then put the IP addresses of the domain controllers in the band list for 30 minutes. I feel that this can create an easy denial of server attack on our network.

I am not on the Software committee that is setting up this software for deployment. I was talking to my coworker saying that this is how I would start a DOS within my company. Is this something that we should be worried about?

-GA

[Tiger Shark]

The functionality you are referring to is more along the lines of Intrusion Prevention, (IPS), rather than Intrusion Detection. I have yet to come across an IPS that does not run some risk of DoS... It's the nature of the beast.

Your risk assessment should indicate whether the risk of the DoS is outweighed by the potential for an unknown compromise by a worm or similar threat. It's one of those "damned if you do, damned if you don't" issues really but somewhere in there it must be configurable.

[brokencrow]

I don't know if it's something to be worried about so much as something you'll have to learn to live with. It sounds like you'll find out when rogue packets are flyin' around your LAN.

I'd throw a Linux box on your network (if you can) and run some monitoring software like Ethereal and Etherape to get a baseline on normal traffic. Then if you have a problem, you can quickly determine the source.

[SirDice]

Originally posted here by brokencrow
I'd throw a Linux box on your network (if you can) and run some monitoring software like Ethereal and Etherape to get a baseline on normal traffic. Then if you have a problem, you can quickly determine the source.

I'd be running it on FreeBSD.. but everyone's entitled to his/her opinion..

I wouldn't run Ethereal.. That would mean a GUI (yes, yes, I know.. tethereal) .. I'd use the "plain" tcpdump (comes with the base install of fbsd), you can always load the pcap file in Ethereal when needed.. Heck, while you're at it why not install snort too?

[Golgi Apparatus]

Thanks for the info; I thought that this was something that I could not get around. I understand that I want to make sure that there are no attacks on the user environment. If there is a rouge computer sending out bad packets on purpose to DOS one of the servers then our network monitoring devices should catch that.

I just wanted to make sure that I wasn’t missing anything.

-GA

[NewDis]

If the email server and client are on the same network, you could just tell the IPS to not ban that ip for very long or even at all. Having a computer on the network strickly for sniffing and various other IDS like tasks would probably be the easiest way to do it. If you are that worried about it have some sort of program monitoring the intra-lan and internet speeds to check for a steep rise, look in the IPS for something like a warning when u ban an IP.