Re: discovering a service behind a nated network
From: P. Deelman (p.deelman_at_hccnet.nl)
Date: 09/08/04
- Previous message: Derek Schaible: "Re: Final Words on "Educating RDNS violators" - Debunking the Myth's"
- In reply to: linux user: "discovering a service behind a nated network"
- Next in thread: Jason Workman: "RE: discovering a service behind a nated network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 08 Sep 2004 09:29:01 +0200 To: linux user <linuxteam@gmail.com>, security-basics@securityfocus.com
linux user wrote:
>Hiya All,
>
>I would like to discover if a service that is behind a NATed network
>is still working, for
>example if a web server is in a private network, Nated behind a
>gateway, how could i from an external network check if the server is
>down/ or there are network problems between the server and the
>gateway? is there a way to use a tool such as traceroute for
>NATed/Firewalled network from an external link?
>
>
>
If a webserver is behind a gateway, then the only way to check if it's
down is to telnet to the specific port and see it the webserver give you
any output. Traceroutes and pings are ICMP based and handeled by the
gateway. These also could be denied or forwarded. This is only solvable
if you could log onto the gateway and chekc from there.
>The reason i am asking this is because i have been asked that
>question on a job interview, and i did not know what the correct
>answer was, it was related to a web cluster farm then.
>
>
>
If it's a cluster then the gateway would probably do some kind of
loadbalancing and without any extra tools at your disposal on the
gateway you probably wouldn't even know something went wrong. A good
cluster is redundant all the way. 2 switches and 2 nics in every box.
The gateway would notice that a webserver in the farm is down (due to
the heartbeat software on the gateway which regularly checks if a
machines service if running, or the box at all) and will remove it from
the forwarding table.
>another reason is howto troubleshoot a service that has been port forwarded from
>the gateway, the port forwarding works for other services, but this
>specific service is not reachable, and you can not tell whether the NATed box
>was down, or the route was down, or what, you could debate that you
>can use ssh to
>the gateway server, but then that is run by a different dept. and you
>have no access to that.
>
>
>
A gateway that is run for a webcluster and do some kind of balancing.
Then it would be run by another dept? this is not good. The only way to
see then if the gateway is up or not is to ping to it and maybe check
other forwarded services that are routed to other boxes. That way you
could see if the gateway is down of just the webserver(s).
>sorry if my English langauge is a bit rusty
>
>TIA
>
>Anst
>
>
From a technical point of view. To run all services from 1 IP that is a
webcluster and propably a mailcluster too is not good. A decent ISP has
spreaded it's services across serveral IP's and a gateway that does
loadbalancing for a webcluster should be reachable for the sysops. Or at
least some tools on the gateway to check what is down and also the
ability to ssh to specific boxes to check what's wrong with an
individual machine. Offcourse configuration should be centrally managed
by some box which holds all config files with CVS capabilities.
If all of the above is not possible, then the only way then i could
think of is to go and visit the box wasting precious time driving to the
colo provider, checking into security, log into the box, maybe reset it
(thank god for remote powerswitches) and drive back to office wasting AT
LEAST an hour. Also keep in mind that working at you colo is more
unpleasant then from behind your desk at office.
There is also another way and that is to set up an external box and let
all (web)servers connect to it using an reverse ssh tunnel, but then the
gateway and it's firewall is rendered useless if that external box is
compromised.
Conclusion: the question asked to you raises a lot of questions of good
system management. But non of the less, good questions to test knowledge.
Patrick
---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
- Previous message: Derek Schaible: "Re: Final Words on "Educating RDNS violators" - Debunking the Myth's"
- In reply to: linux user: "discovering a service behind a nated network"
- Next in thread: Jason Workman: "RE: discovering a service behind a nated network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
