> However I do wish it had the feature that Sygate PRO has, which will > blackhole a IP if it detects a ports scan coming to it. it then blocks all > activity from the offending IP for approximately 10 minutes.
Well, it's a feature if the probes are really coming from the computer Sygate PRO thinks they're coming from. Suppose X is running Sygate PRO and Y is a legitimate client connecting to a server running on X. Then Z comes along and sends a bunch of SYN packets to X, spoofed to have the source IP of Y, waits 10 minutes, and repeats ad infinitum. Now Y can never connect to X. This seems more like a DoS vulnerability than a feature to me. Am I missing something? -Eliah On 1/20/06, Soderland, Craig wrote: > Time to thrown my .02 cents in. > > Zone - Good product, though it requires much thought and proper > configuration for successful installs. does not, always save your > configurations settings when you shutdown. This I find occurs most often > when you upgrade Zone from one version to another and not use the "clean > install option." If this occurs you have 2 options. > > 1. re-install zone, utilizing the clean install option and then re-enter > your rules. > 2. do not re-install zone but when you have made firewall rules changes, > exit out of the program after making the aforementioned changes, when Zone > exits, not as part of a shutdown it seems to correctly flush the > configuration to disk. > > Another issue with zone, is that they have not yet fixed the bug in the true > vector engine. I can can cause true vector, to regularly crash out and leave > the system unprotected from a remote client. I have notified Zone's > engineers, specifically how this was done and to date no response from their > side. To their credit, when this occurs now the system loses all network > connectivity (with recent update.) and the VSMON service now restarts. So > even though the bug in True Vector still exists they have worked around it > so as to not leave your system completely vulnerable as in the 5.x versions. > > But other than this it is a good package, very flexible, and powerful though > requiring a certain level of sophistication to configure it properly. > > However I do wish it had the feature that Sygate PRO has, which will > blackhole a IP if it detects a ports scan coming to it. it then blocks all > activity from the offending IP for approximately 10 minutes. > > It however had a similar problem to zone in that we could easily get the FW > to crash out, however when it did crash out all connectivity was lost. To > date this also has not been fixed. > > the other firewalls I've played with, all had their own set of feature > issues, With Black Ice being the worst piece of Garbage, I have had my > displeasure of ever installing. Just too damn easy to defeat. > > in all cases, I would recommend a firewall software, especially if you are > on a laptop, and might ever be out on he wild wild internet without being > behind a hardware firewall. Preferably something that will also check on > programs attempting to make outbound connections. But I would not rely on > just a software one either. > > And with hardware many users/companies make the same mistake, layering > firewalls all of the same vendor/brand. So that in the event of an exploit > weakens they're all penetrated. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
