Re: Fingerprinting Firewall

From: Demetrio Carrión (demetrio.carrion_at_gmail.com)
Date: 05/06/05

  • Next message: Bipin Gautam: "Filtering email headers generated from internal network (Sensible?)"
    Date: Fri, 6 May 2005 16:19:38 -0300
    To: pen-test@lists.securityfocus.com
    
    

    Hi,

    I think of a particular case where you are able to sniff layer two
    traffic in the firewall segment and this firewall is an
    appliance-based one.

    Would it possible to discover the firewall vendor by correlating the
    firewall MAC layer address and the OUI, then someone could narrow the
    firewall to a specific vendor and possible versions?

    Just guessing.

    Cheers,

    Demetrio Carrion
    IT Security Consultant

    On 4/8/05, Byron L. Sonne <blsonne@rogers.com> wrote:
    >
    > > We all know that, we can identify firewall using various methods and tools like "firewalk".
    > > Is there any method or tool available which will remotely fingerprint and enumerate rule
    > > base configured on the firewall?
    >
    > Well, more accurately put firewalk does not identify firewalls as much
    > as it enumerates what kind of traffic will be passed as well as allowing
    > you to figure out ACLs in use.
    >
    > Generally speaking I don't think you'll be able to come up with
    > something along the lines of nmap that will allow you to determine what
    > kind of firewall is in place. Certainly not reliably for all firewalls
    > and in all situations; there's just to much variability in how rules can
    > be configured or traffic scrubbed.
    >
    > What I do think is possible is the creation of a tool that will narrow
    > the field down to a group of firewalls.
    >
    > However, I suppose that for peculiar situations, either from grievous
    > design error or peculiar configurations, certain firewalls might stick
    > out like a sore thumb. But my suspicions are that would be rare.
    >


  • Next message: Bipin Gautam: "Filtering email headers generated from internal network (Sensible?)"

    Relevant Pages

    • RE: Fingerprinting Firewall
      ... Another good way is to search job listings that deal with the company with ... Subject: Fingerprinting Firewall ... > However, I suppose that for peculiar situations, either from grievous ... > design error or peculiar configurations, ...
      (Pen-Test)
    • Re: Fingerprinting Firewall
      ... > I think of a particular case where you are able to sniff layer two ... > traffic in the firewall segment and this firewall is an ... > Would it possible to discover the firewall vendor by correlating the ...
      (Pen-Test)
    • RE: Symantec SGS Gateway Firewall DoS vulnerability
      ... Well we have been fiddling with some configurations in ... SGS but haven't blocked DoS so far. ... firewall getting choked up. ...
      (Pen-Test)
    • Re: Norton Internet Security 2002 Problems
      ... >I have setup some rules that permit connections to certain machines on ... at times the firewall does not let those ... >do not support custom configurations and that they would have to ... Good reasons to avoid Symantec, aside from the fact that their ...
      (comp.security.firewalls)
    • RE: Internet Services Manager
      ... See ISM/MMC Does Not Work Through a Firewall ... The HTMLA uses TCP port 80, which is open on most firewalls for Web traffic ... require additional configurations mentioned in the online documentation for ... Use the ISM MMC over PPTP ...
      (Focus-Microsoft)