Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Reinaldo_Fernan
Contributor

Hostname disclosure

Hello All,

I'm looking for some piece of advice on the following. We ran Shodan scan against our domain and the report is coming with some detailed information about the firewalls as for instance hostname,smartCenter host and public IP address:

193.120.x.x

IrelandIreland, Dublin

Details CheckPoint

Firewall Host: B-ECOM-xxx.xx

SmartCenter Host: b-chk-mgmt-ecom-xxx.xxx.ie

Port 264

Any ideas on how to avoid this type of information to be disclosed?

We have seen through our SIEM, that China for instance are running this type of scans to our firewalls.

Many thanks,

Reinaldo

18 Replies
Lari_Luoma
Ambassador Ambassador
Ambassador

Reinaldo_Fernan
Contributor

I understand and I saw the article from checkpoint. Problem is that the scan is disclosing firewall host name and up address and that could lead to a possible attack. Our external siem team are advising us to mitigate this problem and we don't know how to proceed. 

I know that the information is public but I believe that i is not good practice to have the host name and ip address disclosed for the big bad world.

Any thoughts? 

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

Do you have stealth-rule in place?

0 Kudos
Reinaldo_Fernan
Contributor

Yes we do have a stealth rule in place. But I don't think that will mitigate the problem as the port tcp 264 is used for vpn topology downloader. 

Currently there are no rules allowing this type of traffic in the rule set, but if you run a scan against your domain you can get all the details as mentioned before, hostname, ip address, etc. 

Try to run a shodan scan you will see the results... 

0 Kudos
AlekseiShelepov
Advisor

Currently there are no rules allowing this type of traffic in the rule set, but if you run a scan against your domain you can get all the details as mentioned before, hostname, ip address, etc. 

Have you checked Implied Rules? This rule is activated as part of Accept Control connections option in Global Properties.

So you would like to not show hostnames on this port, right? This is the main issue you see? I believe public IP address cannot be cosidered as internal information.

The SmartCenter and Security Gateway names are part of the gateway certificate that is presented for authentication in many scenarios. The gateway name is in the Subject field of the certificate and the SmartCenter name is in the Issuer field, since Internal CA runs on the SmartCenter. Certificate owner name and CA names are considered public information.

I will not run Shodan...

Reinaldo_Fernan
Contributor

Hi Aleksei,

Indeed the rule is in place.

What we are trying to accomplish, it is to not share the full hostname of the firewalls. The scan results report provide a full hostname:

Firewall Host: B-ECOM-xxx.xx

SmartCenter Host: b-chk-mgmt-ecom-xxx.xxx.ie

I understand what you are saying, but our third part siem team and manager don't. I have provided to them the official documentation from Checkpoint but it seems not to be enough.

What I'm trying here is maybe do not display the full hostname , but not sure if this is possible.

many thanks.

0 Kudos
JozkoMrkvicka
Authority
Authority

Isnt tcp_264 used only for very old VPN client ? https should be the only port for topology download for new VPN client.

Kind regards,
Jozko Mrkvicka
0 Kudos
Reinaldo_Fernan
Contributor

Jozko, read please the checkpoint documentation about port tcp 264 and run a shodan scan against your domain...

Https is just for ssl vpns. 

0 Kudos
JozkoMrkvicka
Authority
Authority

set hostname PLEASE_DONT_SCAN_US_THANKS

save config

Kind regards,
Jozko Mrkvicka
Reinaldo_Fernan
Contributor

Not really helpful but thank you for your suggestion.

I'm talking about a financial institution with several production devices.

0 Kudos
JozkoMrkvicka
Authority
Authority

If you know IP range where this scan is from, just create SAM rule and you are safe.

Kind regards,
Jozko Mrkvicka
0 Kudos
Reinaldo_Fernan
Contributor

Thank you for recommendation Jozko.

We already thought about that possibility but the scan is all over the place (several sources /countries) and also there is a possibility about IP masquerading (VPN,proxy, etc), so I don't think this will mitigate the problem.

0 Kudos
JozkoMrkvicka
Authority
Authority

If you know IP ranges which can use tcp_264 for VPN topo download (RA users) then you can specify it in rulebase, and disable implied rule for this (not sure if possible only for 1 implied rule). All other attemps besides ranges in "white list" will be blocked.

Kind regards,
Jozko Mrkvicka
PhoneBoy
Admin
Admin

As was stated in our official SK on the topic, we consider the disclosed information to be public: Check Point response to SecuRemote Topology Service Hostname Disclosure 

Short of blocking the relevant traffic, there is not currently a way to prevent the disclosure of this information.

Adding this capability would most likely require an RFE (Request for Enhancement), which should be brought through your local Check Point office.

Vladimir
Champion
Champion

A simple solution is to configure SmartEvent to blacklist external scanners.

By the time Shodan or other port scanners will go through the lower ports, they will be labeled as scanners, dropped and blocked:

JunedRafeek_kit
Contributor

Thank you for your input I think this should be useful. Could you please recommend the no of connections to be configured?

0 Kudos
Vladimir
Champion
Champion

I believe that there are default values populated already. I would suggest leaving those intact.

I have lowered mine in the lab and have run into situation where it has locked me out.

Had to remove the SAM rule created by SmartEvent to regain the access.

If you do have vulnerability scans going through the firewall, do not forget to add those to exceptions.

Regards,

Vladimir

JozkoMrkvicka
Authority
Authority

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events