'[FW-1] Port Scan(sweep scan) traffic blocking'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-1
Subject:    [FW-1] Port Scan(sweep scan) traffic blocking
From:       "P.V.Sankar" <sankar () CDOTB ! ERNET ! IN>
Date:       2006-12-22 16:44:52
Message-ID: 20061222161117.M18972 () universe ! cdotb ! ernet ! in
[Download RAW message or body]

Hi List,
We have our network setup like this for accessing internet.

client ---->squid proxy---->NGX Firewall---->internet
 
Ours is a heterogeneous environment with hundreds of Windows, Linux, Solris 
clients.
Our squid proxy version is 2.5 running on Fedora. Squid proxy accepts traffic 
on port 8080 from clients and in squid.conf ACLs are defined to allow 
services of portnos 80,443,563,21,777,5222. In our firewall, the rule base 
allows services http,https,ftp,jabber,Yahoo_Messenger,yahoo voice & rtsp from 
squid proxy to internet. Of late our internet access has become very slow. 
When we analyzed the traffic, we found lot of port scan packets going from 
squid proxy to internet. I can see the port scan alerts in the SmartView 
tracker. In all the logs, source is squid porxy and service as 80,443 or DNS 
system and service as 53 or Mail Server and service as 25 [DNS, Mail Server 
are also having access to internet for domain queries and smtp traffic]. 
All three systems i.e. squid proxy, DNS Server & Mail Server are hardened 
systems. If some outside system is pumping port scan traffic towards my 
network, i can block them using sam command. But here my situation is reverse.
I am clueless about where to stop/block the port scan packets. I know the end 
client systems which are generating port scan traffic. I can block those 
systems, but i am ending up blocking the entire IP traffic. 
Any suugestions/ideas are greatly appreciated.

Thanks in advance

Regards,
Sankar
  

--
Open WebMail Project (http://openwebmail.org)

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic