Security Basics mailing list archives
Re: discovering a service behind a nated network
From: "P. Deelman" <p.deelman () hccnet nl>
Date: Wed, 08 Sep 2004 09:29:01 +0200
linux user wrote:
If a webserver is behind a gateway, then the only way to check if it's down is to telnet to the specific port and see it the webserver give you any output. Traceroutes and pings are ICMP based and handeled by the gateway. These also could be denied or forwarded. This is only solvable if you could log onto the gateway and chekc from there.Hiya All, I would like to discover if a service that is behind a NATed network is still working, for example if a web server is in a private network, Nated behind agateway, how could i from an external network check if the server is down/ or there are network problems between the server and thegateway? is there a way to use a tool such as traceroute for NATed/Firewalled network from an external link?
If it's a cluster then the gateway would probably do some kind of loadbalancing and without any extra tools at your disposal on the gateway you probably wouldn't even know something went wrong. A good cluster is redundant all the way. 2 switches and 2 nics in every box. The gateway would notice that a webserver in the farm is down (due to the heartbeat software on the gateway which regularly checks if a machines service if running, or the box at all) and will remove it from the forwarding table.The reason i am asking this is because i have been asked that question on a job interview, and i did not know what the correct answer was, it was related to a web cluster farm then.
A gateway that is run for a webcluster and do some kind of balancing. Then it would be run by another dept? this is not good. The only way to see then if the gateway is up or not is to ping to it and maybe check other forwarded services that are routed to other boxes. That way you could see if the gateway is down of just the webserver(s).another reason is howto troubleshoot a service that has been port forwarded from the gateway, the port forwarding works for other services, but this specific service is not reachable, and you can not tell whether the NATed box was down, or the route was down, or what, you could debate that you can use ssh to the gateway server, but then that is run by a different dept. and you have no access to that.
From a technical point of view. To run all services from 1 IP that is a webcluster and propably a mailcluster too is not good. A decent ISP has spreaded it's services across serveral IP's and a gateway that does loadbalancing for a webcluster should be reachable for the sysops. Or at least some tools on the gateway to check what is down and also the ability to ssh to specific boxes to check what's wrong with an individual machine. Offcourse configuration should be centrally managed by some box which holds all config files with CVS capabilities.sorry if my English langauge is a bit rusty TIA Anst
If all of the above is not possible, then the only way then i could think of is to go and visit the box wasting precious time driving to the colo provider, checking into security, log into the box, maybe reset it (thank god for remote powerswitches) and drive back to office wasting AT LEAST an hour. Also keep in mind that working at you colo is more unpleasant then from behind your desk at office.
There is also another way and that is to set up an external box and let all (web)servers connect to it using an reverse ssh tunnel, but then the gateway and it's firewall is rendered useless if that external box is compromised.
Conclusion: the question asked to you raises a lot of questions of good system management. But non of the less, good questions to test knowledge.
Patrick --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- discovering a service behind a nated network linux user (Sep 07)
- Re: discovering a service behind a nated network P. Deelman (Sep 09)
- <Possible follow-ups>
- RE: discovering a service behind a nated network Jason Workman (Sep 09)
- RE: discovering a service behind a nated network Mike (Sep 09)
- discovering a service behind a nated network Hayden Searle (Sep 10)
- discovering a service behind a nated network Hayden Searle (Sep 10)
- Re: discovering a service behind a nated network Tim Hanekamp (Sep 20)
- RE: discovering a service behind a nated network CHRIS GRABENSTEIN (Sep 10)