NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Users last authentication





All,

We have a CP FW4.0 running on Solaris 2.5.  I'd thought I would seek the help of
this list on what we have learned so far on our attempts to access a customers
web site for a financial services application.  I'm stuck and have run out of
ideas/excuses.

 To summarize the issue, the application on the my users PC uses an embedded web
browser, I.E. to be exact.  When the application is launched the browser comes
up empty.  If the user then attempts to access the web site from within the
application, i.e. get news updates, download pdf files, etc.  the embedded web
browser contacts our firewall with a standard HTTP request.  The firewall
prompts the user for a username and password and after this information is given
to the firewall it completes the request.  TCP sessions are established between
the PC and web site through the firewall acting as a proxy.  This is how a
normal HTTP request is handled as far as I know.

The problem arises when the user attempts to update the data for the application
by selecting an Update menu item.   The application says that it is "Verifying
System Version", "Processing Files", "Updating System Data" and the reports back
that it was "Unable to read Security Key Information".    We did a sniffer trace
of the update process looking at traffic between the PC and  our firewall.
What appears to be happening is the application initially establishes a TCP
session to port 443 and makes a Connect HTTPS request to "website.com".  The
site responds back  and the two machines establish several TCP sessions,  with
some HTML data (version info and graphics data) being sent to the PC.  This is
normal HTTPS traffic.  The PC then establishes a TCP session to port 80 on the
web site, makes a HTTP ( not HTTPS) "Get
http://website.com/cms/US/system/version.ini"; request.  to which the firewall
responses with a "HTTP /1.0 401 Unauthorized" packet.  The PC then repeats the
Get Data request again and it is denied again.  The PC then starts the Connect
request again with the same results as before.    Sniffing the data from the
firewall to the "website.com" site shows TCP packets being sent  to port 443 on
the website.com site and the site responding from a source port of 443.  But
interestingly we don't see any TCP port 80 (HTTP) packets during this time.

A check of the firewall logs shows the PC talking to the web site ip
XX.XXX.XXX.com.  The primary name server for the website.com domain says that
this is a nonexistent site.  I don't see any packets with a source or
destination address from website.com.  I do see one rejected packet that is
stopped by Rule 29 which is for our Intel VPN concentrator in the DMZ.  The
interface for this rejected packet is "hme0" and not "daemon" (this sequence is
saved in the firewall log file "website.log").

Any ideas on what is going on?  What is the firewall doing with the "Get Data"
requests?  Why do the firewall logs show the PC talking to ip XX.XXX.XXX.com?
What is ip XX.XXX.XXX.com?  Why don't the logs show any communication with
website.com?  What's with the firewall invoking Rule 29?  How do we blame this
on website.com?  I have copies of the traces for your review if you want.

Eliot Irons
Information Services Security
[email protected]




This e-mail is confidential.  If you are not the intended recipient, you must
not disclose or use the information contained in it.  If you have received this
mail in error, please tell us immediately by return e-mail and delete the
document.


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.