[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-1
Subject: [FW-1] Port Scan(sweep scan) traffic blocking
From: "P.V.Sankar" <sankar () CDOTB ! ERNET ! IN>
Date: 2006-12-22 16:44:52
Message-ID: 20061222161117.M18972 () universe ! cdotb ! ernet ! in
[Download RAW message or body]
Hi List,
We have our network setup like this for accessing internet.
client ---->squid proxy---->NGX Firewall---->internet
Ours is a heterogeneous environment with hundreds of Windows, Linux, Solris
clients.
Our squid proxy version is 2.5 running on Fedora. Squid proxy accepts traffic
on port 8080 from clients and in squid.conf ACLs are defined to allow
services of portnos 80,443,563,21,777,5222. In our firewall, the rule base
allows services http,https,ftp,jabber,Yahoo_Messenger,yahoo voice & rtsp from
squid proxy to internet. Of late our internet access has become very slow.
When we analyzed the traffic, we found lot of port scan packets going from
squid proxy to internet. I can see the port scan alerts in the SmartView
tracker. In all the logs, source is squid porxy and service as 80,443 or DNS
system and service as 53 or Mail Server and service as 25 [DNS, Mail Server
are also having access to internet for domain queries and smtp traffic].
All three systems i.e. squid proxy, DNS Server & Mail Server are hardened
systems. If some outside system is pumping port scan traffic towards my
network, i can block them using sam command. But here my situation is reverse.
I am clueless about where to stop/block the port scan packets. I know the end
client systems which are generating port scan traffic. I can block those
systems, but i am ending up blocking the entire IP traffic.
Any suugestions/ideas are greatly appreciated.
Thanks in advance
Regards,
Sankar
--
Open WebMail Project (http://openwebmail.org)
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic