[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Users last authentication
All, We have a CP FW4.0 running on Solaris 2.5. I'd thought I would seek the help of this list on what we have learned so far on our attempts to access a customers web site for a financial services application. I'm stuck and have run out of ideas/excuses. To summarize the issue, the application on the my users PC uses an embedded web browser, I.E. to be exact. When the application is launched the browser comes up empty. If the user then attempts to access the web site from within the application, i.e. get news updates, download pdf files, etc. the embedded web browser contacts our firewall with a standard HTTP request. The firewall prompts the user for a username and password and after this information is given to the firewall it completes the request. TCP sessions are established between the PC and web site through the firewall acting as a proxy. This is how a normal HTTP request is handled as far as I know. The problem arises when the user attempts to update the data for the application by selecting an Update menu item. The application says that it is "Verifying System Version", "Processing Files", "Updating System Data" and the reports back that it was "Unable to read Security Key Information". We did a sniffer trace of the update process looking at traffic between the PC and our firewall. What appears to be happening is the application initially establishes a TCP session to port 443 and makes a Connect HTTPS request to "website.com". The site responds back and the two machines establish several TCP sessions, with some HTML data (version info and graphics data) being sent to the PC. This is normal HTTPS traffic. The PC then establishes a TCP session to port 80 on the web site, makes a HTTP ( not HTTPS) "Get http://website.com/cms/US/system/version.ini" request. to which the firewall responses with a "HTTP /1.0 401 Unauthorized" packet. The PC then repeats the Get Data request again and it is denied again. The PC then starts the Connect request again with the same results as before. Sniffing the data from the firewall to the "website.com" site shows TCP packets being sent to port 443 on the website.com site and the site responding from a source port of 443. But interestingly we don't see any TCP port 80 (HTTP) packets during this time. A check of the firewall logs shows the PC talking to the web site ip XX.XXX.XXX.com. The primary name server for the website.com domain says that this is a nonexistent site. I don't see any packets with a source or destination address from website.com. I do see one rejected packet that is stopped by Rule 29 which is for our Intel VPN concentrator in the DMZ. The interface for this rejected packet is "hme0" and not "daemon" (this sequence is saved in the firewall log file "website.log"). Any ideas on what is going on? What is the firewall doing with the "Get Data" requests? Why do the firewall logs show the PC talking to ip XX.XXX.XXX.com? What is ip XX.XXX.XXX.com? Why don't the logs show any communication with website.com? What's with the firewall invoking Rule 29? How do we blame this on website.com? I have copies of the traces for your review if you want. Eliot Irons Information Services Security [email protected] This e-mail is confidential. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this mail in error, please tell us immediately by return e-mail and delete the document. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|