I'm not firewall expert, but you could use FIREWALKING(a traceroute-like anaysis) to map hosts behind it,and to prove that a Firewall is not a *risk free* solution in network security, like most management people think.Also if the firewall is being used for VPN authentication, and if not is current in security patches, you could download network topology from it.(Sorry, don't remember the links, just the idea- maybe i'm wrong) FIREWALK: http://www.packetfactory.net/Projects/Firewalk/firewalk-final.html My 2 cents -----Mensaje original----- De: Andrew Koh [mailto:drewkohat_private] Enviado el: jueves, 06 de septiembre de 2001 9:24 Para: pen-testat_private Asunto: Testing load balanced servers behind NAT Greetings! I'm currently doing a quick vulnerability test using nessus on some of our machines which are load balanced behind a firewall/NAT system. As there are a few machines distributed on the virtual IP, I was wondering if there's anyway to make sure that when nessus connects to the virtual IP, it will keep hitting the same server. How would I test each server in the pool? Also, is there any other documentation on identifying hosts behind proxy/NAT(like FW-1), their internal IP and getting to other internal machines which are not directly accessible from outside? On identifying hosts: From what I have read so far, its possible to elicit responses by crafting packets with missing packet fragments and invalid IP header lengths/field values. Then you match up the TTL, TOS and DF bits from the responses to see if its different from the firewall. (Of course you need to id the firewall first). That's assuming the various ICMP types haven't been filtered. On getting internal IP: Besides misconfigured DNS and snmp, are there any other ways to find out internal host IP? On routing to internal machines: The only way I can think of is bouncing off other internal hosts which are accessible to the Internet. How does source routing work as there are many routers out there which filter them. Any thoughts? p.s. yeah, I'm trying to prove to my boss that a FW-1 solution isn't the be-all-end-all :) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 10:59:46 PDT