Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Symantec Critical System Protection and Generic Network Attacks

Created: 26 Mar 2013 • Updated: 31 Mar 2013 | 6 comments
This issue has been solved. See solution.

Hi,

I am implementing SCSP at a Client site and Client is asking for a Demo for SCSP Protection i.e. Client wants me to use a third party tool like Zenmap, run an attack against a machine which has SCSP installed and show me how it protects. I tried running some attack like Syn Attack Brute Force against SMB etc. I could only configure two actions in SCSP Prevention Policy i.e. either block a Network Range or Allow a Network Range (I was using Windows Core Prevention Policy). This action cause the SCSP either to block or allow any IP or even attack. For e.g. It let the Test machine to run a Sync Attack against my test machine and did not block. I was hoping that after consecutive 10 or 20 SYN requests, it would block the IP or at least raise a warning in IDS mentioning a SYN attack but nothing !

Can anyone please help me understand the best situation under which SCSP can be used? Do I need to put in another Firewall with these features. I have to install SCSP on DMZ Servers and hence, it is quite critical.

Operating Systems:

Comments 6 CommentsJump to latest comment

Alex_CST's picture

Are you sure its actually SCSP that is blocking it and not some sort of firewall?

If you want to demonstrate the functionality of SCSP (i personally) use an unpatched 2003 sp0 machine and run metasploit on it to do buffer overflow attacks, then put the agent on and try the hacks again which it then prevents

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

bamit99's picture

Hi,

Thank you for your response. While doing the Attack simulation, I was continously watching the SCSP EventViewer on the client where I saw the packets being Denied. Again, I am only using Windows Core Protection Policy with only one Network Defined under Allow List. Problem is, this will be installed on Public Web Server which would mean that I cannot use a limited set of allowed LANs. I do understand that HIPS would block any change to the registry, file or system which is great but they were expecting more sort of Network Protection similar to other firewalls where a pattern is recognized and blocked e.g. Syn, DOS, Brute Force etc.

Again, thank you for your answer. I am trying Metasploit right now. But please do add any more information that you might think, will be helpful for me.

Alex_CST's picture

The firewall part of SCSP is actually quite basic - the real value in the product is to harden a system.  It doesnt do deep packet inspection like larger hardware based firewalls - its aim is to protect the system should something get through - having things like DPI would increase the footprint of the agent by quite a lot, reducing its value

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

Conventus Tyrrell's picture

CSP is not a firewall. Host based firewalls have a network driver. CSP has a kernel driver that monitors for connect calls to the kernel. This is important as you will also not be able to detect port scans using CSP as we only see attempts on ports on which the server is listening. As mentioned above by Alex, we also do not use any definitions. Given the whitelisting methodology of the product, this fits well with us. When we lock down a server, we do so in such a way that regardless of the methodology used by an attacker, disallowed behavior is disallowed. Definitions would add greatly to the overhead and would have you always playing catch-up to the bad guys. CSP is a very binary product.

If you want to demonstrate network protection, you could allow port 80 from anywhere and deny all other ports. To Alex's point, backtrack is a great way to prevent buffer overflow, thread injection, and numerous other attacks. If these are public facing web servers, I would think that they would have a network based IPS at the gateway and/or an edge firewall that could recognize/stop a DoS style attack. Layered defense is definitely the key here.

Fell free to e-mail directly and/or respond here if you want to discuss further.

Chris Tyrrell
Compliance Practice Lead
Conventus
ctyrrell@conventus-sei.com

SOLUTION
bamit99's picture

Thank you Guys !! The client has been updated about the limitation and the possibilities of the Product. He is ok with it.

Thanks again !

rajvcancer's picture

Hi,

Me still facing the simmillar issue and searching more relavant solution weather it not resolving as the way mention above. Please help me with accurate guidance.

_________________________________________________________________________________________________
[url=http://www.dlpsoftware.com]Network protection[/url]

<a href="http://dlpsoftware.com/" rel="dofollow">Network protection</a> <a href="http://activity-logger.com/" rel="dofollow">Employee Monitoring</a> <a href="http://parentalcontrol