Beth, I have used this product before. While I see your concern about amplification, this can be defeated from outside threats using filters/firewall. This may still leave you open to internal amplifications attacks. When I worked with it, we did not notice a degradation in network performance. This was a small/medium site with approximately 900 workstations. I did not try to use it as a amplification, but I would assume that this would be easy. Although, if I do remember correctly the hosts did not respond unless they were authenticated using NT domain accounts. I hope this helps. Matt At Thursday 6/28/2001 07:51 AM, Young, Beth A. wrote: >Through some discussions I have had with several people, I have a concern >about NAV 7.5 server/client setup. I wanted other expert opinions on this >issue. I am including some text from an email with a Symantec Engineer. My >questions/comments are in [brackets]. > > >When NSCTOP starts, it initiates a quick discovery, which is > >essentially a broadcast ping to the entire subnet. It asks > >that any application listening on port 38293 please respond > >with a pong packet. Any computers running PDS will respond to > >the ping with a pong packet. >[Can this be used in a type of smurf amplification attack??? Especially >taken with the next comment?] > >Intense Discovery. Walks the Network Neighborhood, attempting > >to ping all computers it finds. > >[And lastly we have a built in Network scanner??]: > >Scan Network tab. The scan network feature of the "Find > >Computer" dialog allows you to scan a range of IP Addresses, > >or IP subnets in order to find computers. Using the IP address > >scan, you enter a range of IP addresses, which the dialog will > >then loop through. The dialog requests the discovery service > >to ping each address, and brings in any servers it finds. > >Using the IP subnet scan, you can send broadcast packets to > >specific subnets. This scan can circumvent routers that stop > >normal broadcast packets. > >------------ > >Am I missing something here or am I being way to paranoid about this >application? Does anybody use server/client setup in their organization >that can send me comments about this traffic and how it affects their >bandwidth? Has anybody tried to use this as a smurf amplification tool? > >Beth Young >MOREnet Security >1.800.509.6673 >http://www.more.net/ _______________________________________________ Firewalls mailing list Firewalls@lists.gnac.net http://lists.gnac.net/mailman/listinfo/firewalls