Re: Re[2]: [Full-disclosure] Personal firewalls.
On 1/20/06, Eliah Kagan [EMAIL PROTECTED] wrote: Z sends spoofed packets coming from the DNS server of X even more interesting.. When Sygate PRO blackholes a host, does it block only unsolicited packets (bad), or does it block *all* incoming packets from that host (worse)? It blocks all traffic from the IP address, you can verify this by looking in the advanced rules section after being scanned. Watch out for Proventia/RSDP as well as BlackIce. Even though their xml file for distributing rules and policies is one of the best I have seen, their effect on performance is one of the worst I have seen, and they dont protect your machine from disgruntled employees (ahem..Witty), nor the determined attacker. One good way to test a firewall to see if it will hold its mettle is by nmapping a machine with -p 1-65353. Then see how your network performance is degraded. Also an intense nessus scan against the firewalled machine will help show you how the server/workstation will perform while under an attack. My experience with proventia/realsecure/blackice is that it grinds your machine to a halt (or at least _really_ slows it down) for up to 30 min from an intense nessus scan. One reason I did not go with ZoneAlarm at the workplace was due to the fact that (given this was a year ago) it kept forgetting settings. Also my employer had a site license for ZA, but if you use it for business, you are supposed to pony up a lic. fee. ZoneAlarm is free for _personal_ use only. One reason I did not like Sygate was, if you enabled application protection then 1 month later installed hotfixes from MS that updated a system file, after your machine rebooted, then Sygate would block (eg:kernel32.dll) as an untrusted app. You can re-scan your system files after installing the patch, but when you have an automated patching solution, this can sometimes be hard. Booting in safe mode and disabling Sygate was the resolution for that issue. On second thought, I would advise against running application protection (in its current form) on any software firewall. The technology is just not mature enough for production environments (or wasnt 4 months ago, that could (should ;-) have changed by now. -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: Re[2]: [Full-disclosure] Personal firewalls.
Z sends spoofed packets coming from the DNS server of X even more interesting.. When Sygate PRO blackholes a host, does it block only unsolicited packets (bad), or does it block *all* incoming packets from that host (worse)? -Eliah On 1/20/06, Thierry Zoller [EMAIL PROTECTED] wrote: Dear Eliah Kagan, EK Then Z comes along and sends a EK bunch of SYN packets to X, spoofed to have the source IP of Y, waits EK 10 minutes, and repeats ad infinitum. Z sends spoofed packets coming from the DNS server of X even more interesting.. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: Re[2]: [Full-disclosure] Personal firewalls.
Any self-respecting network administrator, (who knows what he/she is doing), would have planned for that And setup some kind of overideing ruleset, that will allways allow communiction to/from it's own resources. A.K.A, the BLACKHOLE / IP BANNING would be overiden for IP's resources, like that of it's DNS Servers. But, that could, too, be exploited. If Z spoofs packets using the ip of the DNS Server (the one that is not banned because of the overide or 'never ban these ips, etc') Would be allowed to send those packets, SYN Packet, etc, as was stated, ad infinitum. As, they say, no computer or server is ever, *TRULY*, secure - even with a software or hardware firwall, or 'voodoo-like' security measures. Digitalchaos (just my 2 cents) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thierry Zoller Sent: Friday, January 20, 2006 5:58 PM To: full-disclosure@lists.grok.org.uk Subject: Re[2]: [Full-disclosure] Personal firewalls. Dear Eliah Kagan, EK Then Z comes along and sends a EK bunch of SYN packets to X, spoofed to have the source IP of Y, waits EK 10 minutes, and repeats ad infinitum. Z sends spoofed packets coming from the DNS server of X even more interesting.. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.21/236 - Release Date: 1/20/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.21/236 - Release Date: 1/20/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
