I looked briefly in bugtraq archives and I didn't find any reference to this issue. Please accept my apologies, if it's a known problem.
Norton Personal Firewall 2002 on Windows 2000 is vulnerable to SYN/FIN scan (SYN/FIN/URG, SYN/FIN/PUSH, SYN/FIN/URG/PUSH are not detected as well) also if you activate "detect portscan".
The windows machine answers the same way with or without NPF. open TCP port answer (hping output): len=46 ip=a.b.c.d sport=135 flags=SA DF seq=5 ttl=128 id=112 win=16616 rtt=0.8 ms close TCP port answer (hping output): len=46 ip=a.b.c.d sport=136 flags=RA seq=6 ttl=128 id=113 win=0 rtt=0.6 ms
This way, you can check which ports are listening and you don't get blacklisted. When NPF detects a port scan, it filters all packets from the source IP for the next 30 mins. By the way, I tried to understand this feature: after some tests, I got the idea that NPF stops ONLY SYN packets FROM the blacklisted IP. This means that you can STILL perform a SYN/FIN scan while blacklisted and also that you can go on with an established connection from a blacklisted IP. You just can't start a new connection FROM the blacklisted machine (but you can start it from the "protected" PC). I guess this way to implement a blacklist is mainly for performances. Any comment?
Moreover, since you can't change the 30 mins default blacklist time, this can help a lot in fingerprinting Norton Personal Firewall making your IP blacklisted and then trying to send again SYN packets on an open port after 30 mins.
In my probe test, I also tried to check the claim "block fragmented IP Packets" in advanced options, attacking the windows box with the old jolt2 (MS00-029 May 2000). Of course, the windows 2000 has NO patch or SP which would prevent the attack to success. You might say a computer should always be uptodate with patches, but this was a proof-of-concept of a future undiscovered fragmented IP bug againts a claim of being able to block fragments. NPF is NOT able to protect my Windows 2000 against jolt2.
Thanks for reading,
You can visit the vendors webpage here: http://www.symantec.com/sabu/nis/npf/
The vendor was contacted on the 5th of April, 2002 using a web form at http://service4.symantec.com/discuss/support/feedback2.nsf/product+feedback No reply so far.
The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility.