In-Reply-To: <[EMAIL PROTECTED]>
Hi if you are allowing telnet connections between two internal networks but not between the internet and an internal network port 23 will still appear open to an external scan. You will even be able to connect and see the telnet banner though any username/password combo you try will be blocked by the rule base (layer 7). This does seem to offer DOS possibilities due to the amount of work Raptor does for a connection which will always be dropped. I have been unable to find anyone in Symantec to offer an explanation of Raptors use of networking buffers and how to tune them I get conflicting confused explanations from their consultants. I think that customers should be advised to add some basic packet filtering for traffic coming from the internet. This can be done on the Raptor itself using an inbound filter on the internet interface or it could be done on your border router so giving the scanner no chance to open any telnet connections. It at least stops script kiddies messing around with passwords using up bandwidth and resources. The point is that if you use a packet filter to block all traffic which is definitely not allowed you will just see a couple of filtered ports in nmap and because of the rule base behind it is much more difficult to get anywhere. I am suprised that ports 416/8 were not in the original list as these are management ports. They normally listen on every interface. This makes them more interesting as these will typically be the only ports listening for connections to the firewall rather than through the firewall. The authentication is based on source IP and password. As the allowed IP will probably be an internal illegal IP I guess that it would be difficult to take advantage of. I believe that Raptor 7 avoids some of these issues as proxies only listen on interfaces where allowed traffic would arrive. I have not tried anything on Raptor 7 so I would be interested to hear of any experiences people have pen testing Raptor 7. One further note whenever I use nmap to scan a raptor it tells me that it's an AIX so I'm curious as to how the original post identified the firewall as raptor 6.5. Is it possible to determine if the Raptor runs on solaris or NT? Peter ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
