Testing load balanced servers behind NAT

[Andrew Koh <drewkoh () dingoblue net au>]

Greetings!

I'm currently doing a quick vulnerability test using nessus on some of our 
machines which are load balanced behind a firewall/NAT system. As there are 
a few machines distributed on the virtual IP, I was wondering if there's 
anyway to make sure that when nessus connects to the virtual IP, it will 
keep hitting the same server.
How would I test each server in the pool?

Also, is there any other documentation on identifying hosts behind 
proxy/NAT(like FW-1), their internal IP and getting to other internal 
machines which are not directly accessible from outside?

On identifying hosts:
From what I have read so far, its possible to elicit responses by crafting 
packets with missing packet fragments and invalid IP header lengths/field 
values. Then you match up the TTL, TOS and DF bits from the responses to 
see if its different from the firewall. (Of course you need to id the 
firewall first). That's assuming the various ICMP types haven't been filtered.

On getting internal IP:
Besides misconfigured  DNS and snmp, are there any other ways to find out 
internal host IP?

On routing to internal machines:
The only way I can think of is bouncing off other internal hosts which are 
accessible to the Internet. How does source routing work as there are many 
routers out there which filter them.

Any thoughts?

p.s. yeah, I'm trying to prove to my boss that a FW-1 solution isn't the 
be-all-end-all :)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/