Home page logo
/

pen-test logo Penetration Testing mailing list archives

Looks like a Borderware firewall (was Re: Device fingerprinting)
From: Javier Fernández-Sanguino Peña <jfernandez () germinus com>
Date: Wed, 21 Aug 2002 12:58:13 +0200



1) The presence of the cvc_hostd (442) port on the two interfaces of the
unknown device... anyone could comment?

Searching google I find this:
http://216.239.39.100/search?q=cache:NX2-uzZSPmkC:www.cert.lu/cert-web/security/Firewall/FW_Mail/970415_BW_1+port+442+firewall&hl=es&ie=UTF-8
and this:
http://216.239.39.100/search?q=cache:YzQ-AMVyzFEC:www.macroint.com/nsg/border/4-1keys.pdf+port+442+firewall+borderware&hl=es&ie=UTF-8

Maybe you have  a Borderware firewall there (BTW, it's pretty uncommon).
It seems to be an application-level (proxy) firewall so it fits with some
of the things you have found.
More info at
http://www.borderware.com/products/fw/fwserver.html

It seems that it runs on hardened OS (based on BSD 4.4) on Intel so it does fit
your fingerprinting. You might want to read the Security Target, it's certified
EAL4 and EAL5 so it might be a tough one :)
http://www.cesg.gov.uk/assurance/iacs/itsec/cpl/media/sectarg/borderware6_5.pdf

4) The majority of the ports open on the unknown device are forwards to
open ports on the Webserver EXCEPT port 53. I tried to
nslookup -class=chaos -type=txt version.bind [the device] and it returns
unknown domain so I evaluate that the chances for it to be bind are fairly
low.

Bordeware provides a name server. Which adds greater confidence on my guess :)
Also, it doesn't seem to be ISC's bind. Also, due to proxying I'd gather that
the OS fingerprinting done to the webserver and mailserver are in fact results
realted to the firewall.



5) The telnet port on the internal interface of the device seems to be
broken, no daemon listens to it even it the port is open.

Probably because it's a proxy (transparent?) and will not work. Try to do
*outbound* connections.

Anyone sees any telltale signs of a particular OS/device here? In my
opinion
it could be a cisco or maybe a freebsd box but I'm really unsure. Some
help/comments would be appreciated.


My guess (after some Google research): you have a Borderware firewall. It does
not matter much since you pierced the perimeter and now (since you are running
stuff in the webserver) you can make it completely transparent. Try testing the
firewall in order to determine which rules are allowed for outbound (from the
webserver or mailserver) connections.

BTW, you did not say so but my guess is that the mailserver is an Outlook Web
Access. Am I right? Unicode or ISAPI?

Regards

Javi
 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault