True. These ports do provide evidence of the host being a CPFW. However,
this assumes that mgmt is needed from a public location (ports 256,257,258).
Any company concerned about corporate network security would not run these
FW's with external mgmt ports enabled. So the new question is how do you ID
a CPFW with these ports closed? A good answer, stated below, was NMAP with
the -O option. This option will spit out something like this:
Host : X.X.X.X
OS : Check Point FireWall-1 4.0 SP-5 (IPSO build)
Nokia IPSO 3.2-fcs4 releng 783
NOKIA IPSO 3.2 Running Checkpoint Firewall-1
Nokia IPSO 3.2-fcs4 releng 783 (FreeBSD Based)
Ports : 53/tcp closed domain
256/tcp open rap
257/tcp closed set
258/tcp closed yak-chat
Host : X.X.X.X
OS : Nokia IPSO 3.2-fcs4 releng 783
Ports : 53/tcp closed domain
256/tcp open rap
257/tcp open set
258/tcp open yak-chat
Getting addresses behind a firewall can be difficult. Finding out where the
web, mail or ftp servers usually point to the external IP address of the FW
itself since arping is done by the FW for the client. I have been
experiementing with Firewalk as well as modified TOS fields within the ICMP
protocol to force identification of internal hosts but have not been
successful....YET. If anyone has something to add to my madness please do so
with care.
Andrew A Mulé
Network Security Architect
Securify Inc.
PGP: F2D5 54A4 F098 369E AA5E
A64E 0F6F DE52 13C6 BAC5
Received on May 14 2001
Intro
