File Share Encryption

Hello PGP experts,

I'm seeing a whooping number of events on my external Cisco IPS related to TCP Segment Overwrite events. The first party in such events is my PGP Gateway Email, and the other party will always be an external mail server. Sometimes my PGP server is the source and other times it is the target.

Could someone help me out? Any thoughts are appreciated.

Thanks in advance.

If your IPS appliance is being sent streams from multiple sources and that traffic traverses more than one of those sources, it could be viewed by the cisco box as duplicate segments when infact its just 2 copies of the same traffic going to the IPS.  Does that apply in your case?

Thanks for replying Alex, but could you elaborate more on this please? How would a sender's traffic traverse another sender?

Well, is that IPS box on the edge of the network ?  I would expect traffic to go to and from the universal server.  It can be viewed as malicious if it shouldn't be doing that, but the liklyhood of the Universal Server to be compromised is very very unlikely.  It's hardened a lot to make sure it can just sit there doing what its told to do.  Is your universal serverin the DMZ?

Yes, the PGP Universal is in the DMZ, and the IPS box is between the edge router and the external firewall. Does this mean that most probably it is a bunch of false positives (that I can simply ignore)? Thanks.

Most likely, you can track the time and date stamps on the IPS box and see if there is a pattern on the mail going out of the PGP box, but other than that - its probably safe to ignore

You were absolutely right, Alex. It was a temporary issue and now it's gone. I don't know exactly what was going on, but consulting my local Cisco IPS provider made me more confident those were just false positives. Thank you.

-Moh-