Re: How to discover FW-1 management module or GUI?

[Gareth Bromley <gbromley () intstar com>]

Alex Butcher wrote:
> Carmelo Floridia wrote:
> > How can i discover in a LAN the management module or the PC that run FW-1
> > GUI?
> You won't be able to discover the host running the GUI other than by
> sniffing the network and finding a host that's communicating with the
> management module. IIRC, the protocol used is 258/tcp.
Indeed, or 18190 for Firewall-1 NG??

However, better methods exist using IDS to pick up the signatures. The
GUI/Log viewer etc. spit out a lot of initial ASCII when communicating
with the firewall module, in the very familiar checkpoint format i.e.
:key ( value )

> From memory a few of the key values are:
username (Sent clear)
password (Sent in a hash format)
fw_encryption (Again clear) - Not sure about this one, but there are a
few encryption based negiotation strings.

After the initial auth/security has been agreed between GUI and mgmt
module, the data stream turns binary, maybe encrypted depending on your
firewall licence.

Snort is very good for picking this stuff up quickly.

Enjoy,

--Gareth Bromley

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/