> > 1) The presence of the cvc_hostd (442) port on the two interfaces of the > unknown device... anyone could comment? Searching google I find this: http://216.239.39.100/search?q=cache:NX2-uzZSPmkC:www.cert.lu/cert-web/security/Firewall/FW_Mail/970415_BW_1+port+442+firewall&hl=es&ie=UTF-8 and this: http://216.239.39.100/search?q=cache:YzQ-AMVyzFEC:www.macroint.com/nsg/border/4-1keys.pdf+port+442+firewall+borderware&hl=es&ie=UTF-8 Maybe you have a Borderware firewall there (BTW, it's pretty uncommon). It seems to be an application-level (proxy) firewall so it fits with some of the things you have found. More info at http://www.borderware.com/products/fw/fwserver.html It seems that it runs on hardened OS (based on BSD 4.4) on Intel so it does fit your fingerprinting. You might want to read the Security Target, it's certified EAL4 and EAL5 so it might be a tough one :) http://www.cesg.gov.uk/assurance/iacs/itsec/cpl/media/sectarg/borderware6_5.pdf > 4) The majority of the ports open on the unknown device are forwards to > open ports on the Webserver EXCEPT port 53. I tried to > nslookup -class=chaos -type=txt version.bind [the device] and it returns > unknown domain so I evaluate that the chances for it to be bind are fairly > low. Bordeware provides a name server. Which adds greater confidence on my guess :) Also, it doesn't seem to be ISC's bind. Also, due to proxying I'd gather that the OS fingerprinting done to the webserver and mailserver are in fact results realted to the firewall. > > 5) The telnet port on the internal interface of the device seems to be > broken, no daemon listens to it even it the port is open. > Probably because it's a proxy (transparent?) and will not work. Try to do *outbound* connections. > Anyone sees any telltale signs of a particular OS/device here? In my > opinion > it could be a cisco or maybe a freebsd box but I'm really unsure. Some > help/comments would be appreciated. > My guess (after some Google research): you have a Borderware firewall. It does not matter much since you pierced the perimeter and now (since you are running stuff in the webserver) you can make it completely transparent. Try testing the firewall in order to determine which rules are allowed for outbound (from the webserver or mailserver) connections. BTW, you did not say so but my guess is that the mailserver is an Outlook Web Access. Am I right? Unicode or ISAPI? Regards Javi ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Aug 21 2002 - 08:46:49 PDT