NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] WebSite being Hacked!!!




>2. Configure CPMAD to send an e-mails to you (be careful with this you get
a lot of e-mails) or browse your wf
>log daily.If you see that you're being scanned then you can issue 'fw sam
-i src <ip_address_you_wanna_block)
>This way scanning connection is rejected.It is better then nothing but the
disadvantage is that when fw sam 

Quick reminder on CPMAD:

Remember that by Default only "Blocked_Connection_Port_Scanning" is ON.
"Port_Scanning" is turned OFF. You can turn each type of attack recognition
ON/OFF by editing the $FWDIR/conf/cpmad_config.conf file.

Comments on their differences:

"port_scanning"
"blocked_connection_port_scanning"

So what's the difference between the two attack detections?  When would you
need one and not the other?

"port_scanning" is an encompassing attack detection option.  It includes
"blocked_connection_port_scanning".  Therefore, we can say that
"port_scanning" is a superset of "blocked_connection_port_scanning" - or say
that "blocked_connection_port_scanning" is a subset of "port_scanning"

Basically, "port_scanning" will detect any port scans directed from the same
source IP to the same destination IP - irrelevent of whether the packet is
ACCEPTED, DROPPED, or REJECTED.

However, "blocked_connection_port_scanning" only detects port scans when the
packets are REJECTED or DROPPED.  This attack detection will not detect port
scans to systems if those specific ports scanned for are ACCEPTED by the
firewall.

Usually, you will not turn both of these detection modes on - if you are
allowing only specific protocols to specific servers, and are implementing
the DROP RULE, then having "blocked_connection_port_scanning" will cover the
port scans; because, your security policy will cause packets other than
ACCEPTED destined to the systems to be DROPPED/REJECTED.

Overall, "port_scanning" will be more memory and cpu intensive than
"blocked_connection_port_scanning".


Amin Tora, CISSP
ePlus Technology
http://www.eplus.com
NASDAQ: PLUS



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.