RE: Testing load balanced servers behind NAT
From: Javier Megias (jmegias@hyphop.com)Date: 09/07/01
- Previous message: Tom Vandepoel: "Re: webstar servers and macintosh"
- In reply to: Andrew Koh: "Testing load balanced servers behind NAT"
- Next in thread: Alex Butcher: "Re: Testing load balanced servers behind NAT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Javier Megias" <jmegias@hyphop.com> To: "'Andrew Koh'" <drewkoh@dingoblue.net.au>, <pen-test@securityfocus.com> Subject: RE: Testing load balanced servers behind NAT Date: Fri, 7 Sep 2001 13:09:08 +0200 Message-ID: <005f01c1378d$84b1b640$e100a8c0@hyphop.hh>
I'm not firewall expert, but you could use FIREWALKING(a traceroute-like
anaysis) to map hosts behind it,and to prove that a Firewall is not a *risk
free* solution in network security, like most management people think.Also
if the firewall is being used for VPN authentication, and if not is current
in security patches, you could download network topology from it.(Sorry,
don't remember the links, just the idea- maybe i'm wrong)
FIREWALK: http://www.packetfactory.net/Projects/Firewalk/firewalk-final.html
My 2 cents
-----Mensaje original-----
De: Andrew Koh [mailto:drewkoh@dingoblue.net.au]
Enviado el: jueves, 06 de septiembre de 2001 9:24
Para: pen-test@securityfocus.com
Asunto: Testing load balanced servers behind NAT
Greetings!
I'm currently doing a quick vulnerability test using nessus on some of our
machines which are load balanced behind a firewall/NAT system. As there are
a few machines distributed on the virtual IP, I was wondering if there's
anyway to make sure that when nessus connects to the virtual IP, it will
keep hitting the same server.
How would I test each server in the pool?
Also, is there any other documentation on identifying hosts behind
proxy/NAT(like FW-1), their internal IP and getting to other internal
machines which are not directly accessible from outside?
On identifying hosts:
From what I have read so far, its possible to elicit responses by crafting
packets with missing packet fragments and invalid IP header lengths/field
values. Then you match up the TTL, TOS and DF bits from the responses to
see if its different from the firewall. (Of course you need to id the
firewall first). That's assuming the various ICMP types haven't been
filtered.
On getting internal IP:
Besides misconfigured DNS and snmp, are there any other ways to find out
internal host IP?
On routing to internal machines:
The only way I can think of is bouncing off other internal hosts which are
accessible to the Internet. How does source routing work as there are many
routers out there which filter them.
Any thoughts?
p.s. yeah, I'm trying to prove to my boss that a FW-1 solution isn't the
be-all-end-all :)
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Tom Vandepoel: "Re: webstar servers and macintosh"
- In reply to: Andrew Koh: "Testing load balanced servers behind NAT"
- Next in thread: Alex Butcher: "Re: Testing load balanced servers behind NAT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
