Re: Raptor Firewall 6.5 Config

[Derrick <Derrick () anei com>]

Josh,

There are two other features of 6.5 that may being causing an issue.
First prior to 6.5 a rule of http universe universe would in fact allow
traffic in. As of 6.5 you now must specify source and dest interfaces that
traffic comes in and  goes out per each rule so this kind of overly open
rule is less likely.

Raptor as a firewall also has another side feature that can confuse
auditors. Many high ports may show open when nmapping and then later show
closed on the same scan. This is the whole keep a port open PNAT idea. So
you send a packet and the firewall has the port open for an existing
outbound connection. It allows you to connect sees your IP is wrong for
the established session it has in it's lookup table and then drops your
connection. This isn't so much with http but with other services like ssh
and telnet. We have had to answer to several audits involving random ports
being open on an nmap report and then I end up re-explaining this as a
non-issue every time. Remember Raptor is a layer 7 firewall and brings
everything to the application layer so it is not like looking at a plain
port filter firewall.

Derrick


On Tue, 8 Jan 2002, Mike Shaw wrote:

> I worked with raptor for several years, and what you are observing are the
> infamous "Raptor false positives".
>
> It's been few months since I worked with a Raptor box, but my understanding
> is this.  Once raptor has a standard proxy or GSP enabled, it 'opens' that
> port on all interfaces.  It allows you to make the connection to the
> outside interface, and then uses the rules to allow or deny the subsequent
> proxied connection.  Thus, you can 'connect' to all those ports, but you
> won't actually connect to the host unless there is a rule allowing it.
>
> So the only real danger is if they have misconfigured their rules.  If they
> put an "http universe - universe" rule in there, then yes--you'll be able
> to hit any box on the inside.  However, if they have a well designed
> ruleset you will only be able to hit the boxes they've explicitly
> allowed.  And if they've done it *right*, you will only be able to initiate
> connections from the outside (thereby eliminating any shoveled prompts,
> mailed pwdump output, etc).
>
> However, the fact that they have not patched the firewall indicates a high
> probability of over-permissive rules.
>
> Another thing to watch out for.  If they used a GSP (generic proxy) on
> those high ports (7070, 8080, etc) instead of the regular HTTP proxies,
> then you can do things that the normal HTTP proxy would have blocked.  I
> *think* this is true for FTP too if they used a redirection instead of the
> normal proxy method (normal being log in to the outside interface then use
> username@hostname to be forwarded).
>
> It's no fun for an auditor/pen-tester, because a plain ol' port scan won't
> give you the intelligence you're looking for.  Instead, you have to look
> through manually or do some creative scripting.  On the other hand, you can
> instantly tell certain things, since an open port other than the default
> list means a rule from 'somewhere to somewhere' which probably wouldn't be
> there unless it's in use.  For instance, you know they are using PCAnywhere
> and MSSQL.  That's something you may or may not have known before.
>
> Remember too that they can do port redirection, so even if you do see a
> particular service running on all hosts, that could mean that they've
> redirected several or all IP:ports to a single internal box.
>
> -Mike
>
> At 02:37 AM 1/8/2002 +0000, Josh wrote:
>
>
> > Hello,
> >
> > I am conducting a blind penetration test for a client
> > and have identified the firewall to be Raptor 6.5. It
> > appears to be loosely configured as the Raptor HTTP
> > proxy server vulnerability
> > (http://www.securityfocus.com/bid/2517) exists, and I
> > can reach internal addresses, etc.
> >
> > The port scan on the network revealed that many
> > TCP ports were open on the firewall and on the hosts
> > behind it. What seems strange to me is that the
> > results of the nmap scan show the same ports open
> > for every "active" host identified behind the Raptor.
> >
> > Is it possible that Raptor is talking to nmap and
> > opening ports based on a single ruleset for any host
> > behind the firewall? I can confirm that the hosts are
> > separate machines using other techniques. For
> > example, I don't see why the Raptor has port
> > 1433/TCP open for the Solaris machine I can see in
> > addition to several NT 4.0 hosts that might be running
> > MS SQL Server.
> >
> > The nmap scan shows the following ports open for
> > ANY host that I can ping or confirm as being alive and
> > behind the Raptor:
> >
> > Port       State       Service (RPC)
> > 21/tcp     open        ftp
> > 23/tcp     open        telnet
> > 25/tcp     open        smtp
> > 70/tcp     open        gopher
> > 80/tcp     open        http
> > 110/tcp    open        pop-3
> > 119/tcp    open        nntp
> > 139/tcp    open        netbios-ssn
> > 443/tcp    open        https
> > 444/tcp    open        snpp
> > 445/tcp    open        microsoft-ds
> > 512/tcp    open        exec
> > 513/tcp    open        login
> > 514/tcp    open        shell
> > 554/tcp    open        rtsp
> > 1433/tcp   open        ms-sql-s
> > 1720/tcp   open        unknown
> > 5631/tcp   open        pcanywheredata
> > 7070/tcp   open        unknown
> > 8080/tcp   open        http-proxy
> > 8181/tcp   open        unknown
> >
> > Can anyone with Raptor 6.5 experience speak to
> > this? Does this match up to some default
> > configuration for 6.5?
> >
> > It seems to me that the firewall is misconfigured. For
> > example, a developer could put a vanilla install of IIS 4
> > on one of my client's NT machines and unknowlingly
> > open up the whole network to attack since port 80 is
> > opened by Raptor for the host even though it isn't
> > currently running an HTTP service.
> >
> > Josh <josh () sway org>
> >
> >
> > ----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> > Service. For more information on SecurityFocus' SIA service which
> > automatically alerts you to the latest security vulnerabilities please see:
> > https://alerts.securityfocus.com/
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/