Beth,
I have used this product before. While I see your concern about
amplification, this can be defeated from outside threats using
filters/firewall. This may still leave you open to internal amplifications
attacks. When I worked with it, we did not notice a degradation in network
performance. This was a small/medium site with approximately 900
workstations. I did not try to use it as a amplification, but I would
assume that this would be easy. Although, if I do remember correctly the
hosts did not respond unless they were authenticated using NT domain accounts.
I hope this helps.
Matt
At Thursday 6/28/2001 07:51 AM, Young, Beth A. wrote:
>Through some discussions I have had with several people, I have a concern
>about NAV 7.5 server/client setup. I wanted other expert opinions on this
>issue. I am including some text from an email with a Symantec Engineer. My
>questions/comments are in [brackets].
>
> >When NSCTOP starts, it initiates a quick discovery, which is
> >essentially a broadcast ping to the entire subnet. It asks
> >that any application listening on port 38293 please respond
> >with a pong packet. Any computers running PDS will respond to
> >the ping with a pong packet.
>[Can this be used in a type of smurf amplification attack??? Especially
>taken with the next comment?]
> >Intense Discovery. Walks the Network Neighborhood, attempting
> >to ping all computers it finds.
>
>[And lastly we have a built in Network scanner??]:
> >Scan Network tab. The scan network feature of the "Find
> >Computer" dialog allows you to scan a range of IP Addresses,
> >or IP subnets in order to find computers. Using the IP address
> >scan, you enter a range of IP addresses, which the dialog will
> >then loop through. The dialog requests the discovery service
> >to ping each address, and brings in any servers it finds.
> >Using the IP subnet scan, you can send broadcast packets to
> >specific subnets. This scan can circumvent routers that stop
> >normal broadcast packets.
>
>------------
>
>Am I missing something here or am I being way to paranoid about this
>application? Does anybody use server/client setup in their organization
>that can send me comments about this traffic and how it affects their
>bandwidth? Has anybody tried to use this as a smurf amplification tool?
>
>Beth Young
>MOREnet Security
>1.800.509.6673
>http://www.more.net/
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
