Re: Raptor Firewall

From: Mike Shaw (mshawat_private)
Date: Fri Dec 07 2001 - 06:35:54 PST

Next message: Tim Russo: "Pen-Testing help (Compaq Insight & htsearch)"

Previous message: Bob Wright: "Re: JET sql help please anyone"
In reply to: Stuart: "Raptor Firewall"
Next in thread: bluefur0r bluefur0r: "Re: Raptor Firewall"
Next in thread: Brass, Phil (ISS Atlanta): "RE: Writing to Windows Security Log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I used raptor for about 4 years at an old job.

One thing you always have to do with raptor is check the log files.  It 
usually tells you something that will at least get you started.

The other thing about Raptor is make absolutely sure you have more than 
enough RAM, and a very very large swapfile (at least double the regular NT 
recommended size was our rule of thumb).  There were three times where we 
had weird things like this and upping the swapfile/RAM helped.

Do you have SYN flood protection on?  Older versions had real performance 
problems when this was enabled.

Another thing is to make sure they don't have any strange 
configurations--massive port redirections, etc.  Check the configs and make 
sure  it's not the product of a non-educated 'configurer'.

If anything, your pen-test just found a quick way to dos the site!  But we 
very rarely had problems with Raptor, it's a top-notch product so make sure 
they aren't doing something incorrect.

-Mike

At 12:06 AM 12/7/2001 +0000, Stuart wrote:
>We've run a pentest against a customer recently and found that the very act
>of port scanning their Raptor firewall (running on NT) crippled its ability
>to accept incoming connections for their web site. The firewall is a new
>high spec PIII and the least line is a decent size. The nmap scans were
>standard timing (not T5 or anything daft) - once the scans were stopped,
>things burst back in to life within about 10minutes.
>
>This sounds like a lack of available connections type problem (similar to
>SYN flooding) to me. The firewall was running at about 10% CPU usage at the
>time and was not swapping to disk at all, also strangely, internal access
>outbound to the net for web browsing seemed unaffected?
>
>Its the latest version of Raptor and we're told its fully patched up to
>date.
>
>Does this ring any bells with anyone? Seems very odd to me... a portscan
>should not cause a DOS by itself...
>
>
>thanks
>Stuart
>IT Security Consultant, UK
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Tim Russo: "Pen-Testing help (Compaq Insight & htsearch)"
Previous message: Bob Wright: "Re: JET sql help please anyone"
In reply to: Stuart: "Raptor Firewall"
Next in thread: bluefur0r bluefur0r: "Re: Raptor Firewall"
Next in thread: Brass, Phil (ISS Atlanta): "RE: Writing to Windows Security Log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 12:07:47 PST