Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] getting scanned

To: [email protected]
Subject: Re: [FW-1] getting scanned
From: Joe Pampel <[email protected]>
Date: Mon, 15 Apr 2002 08:38:52 -0400
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

If it's always the same IP's, and you don't need to reach them, blackhole them with statics on your FW or edge/border router. :-)  I know people who have dumped most of the APNIC IP blocks for this reason. Think about who you really need & want connectivity to (unless you're a transit network/ISP etc) and examine that as another possible layer of defense.
Other options incl SnortSAM, which can dynamically block communication to/from IP's using Snort & Checkpoint. Also, LaBrea while it does not stop scans slows them down considerably, which might help protect you.
The sort of thing I like to do is to use our routers for filtering traffic outside the firewall, then have the firewall, and then inside have all of our hosts, routers, etc. be hardened. This greatly reduces the chances of most scans finding anything, if they can get in in the first place.
FWIW, most of the easy to ID scans are just so much automated junk IMHO.. portmapper, FTP, SSH, etc.. easy to block and easy to detect. The ones I think are worth worrying about are the slower more deliberate scans (the sorts of scans that SPADE helps to ID). Some kid scanning a /19 for FTP servers is not something that keeps me up nights.. you know?

Last piece of advice (and worth what you paid for it!) Put a box outside your FW and scan yourself as often as you can stand. Try to get into their shoes and what do *you* see when  you look at your network? Work on making it less visible as an ongoing project.  I run all sorts of checks from home periodically to see what we look like from 'out there'.

hth

Joe

>>> Idan Dolev <[email protected]> 04/14/02 08:21AM >>>
Hi,

I can see that I am being scanned daily from various IP in the internet,
they are scanning my whole subnet.
What is the best way that I can defend my self from this scan ?
I have NG FP1.
Syndefender is only to defend Syn attacks not scanners.

Best regards,

Idan Dolev

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Gigabit firewalling
Next by Date: [FW-1] FW1, 4.1 (exporting the rule base)
Previous by thread: [FW-1] getting scanned
Next by thread: [FW-1] Antwort: [FW-1] FTP and SecureClient.
Index(es):
- Date
- Thread