Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Prabulingam_N1
Advisor

Vulnerability on CheckPoint Banner disclosure

Dear All,

I have a customer reporting on VA report with below:

Banner Disclosure: Fingerprinting

Per their VA scan - Outside Scan done on External IP of Firewall on Port:443

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

HTTP/1.0 404 Not found
Date: Thu, 21 Oct 2017 17:17:50 GMT
Server: Check Point SVN Foundation
Conten-Type: text/html
X-UA-Compatible: IE-EmulateIE7
Conenction: Close
X-Frame-Options: SAMEORIGIN
Last-Modified: Sat, 17 Jan 2015 19:00:00 GMT
Content-Length: 204

<HTML>
<HEAD>
<TITLE>404 File Not Found >/TITLE>
</HEAD>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Per above, it means that External person knows that the organisation is Protected by CheckPoint Firewall and can focus on some accurate methods inorder to enter internal networks.

So customer would like to make the Banner display: CheckPOint SVN Foundation to be masked.

Is there any possibility?

Note: Customer do not have IPS Blade 

Scan has done using Burp Suite Tool v1.7.03 Free edition

Any response would be helpful.

Regards, Prabulingam.N

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

Are you using any features that require the gateway to be accessed on port 443 externally?

If not, you might want to prevent access to it entirely.

See: HTTP and HTTPS requests to external interfaces create implied rule 0 accepts in SmartView Tracker 

As far as I know, there is no way to change the banner in this situation.

0 Kudos
Michael_Lawrenc
Contributor

I would also point out that I have yet to find a way to make a gateway invisible on port 43.  Even with implied rules off, and an explicit rule blocking port 43, it still shows up in scans.  Traffic to 43 does get BLOCKED, but the port is still VISIBLE.  Why the daemon is responding in any way when I've written an explicit stealth rule is beyond me and something I wish Check Point would fix. (Why is it sending an ACK? The SYN should die in the kernel.) It's a security device - we need to have the ability to make any port completely dark.  Yeah, I know, the Big Boys want "ease of use."  But, seriously, we should be able to turn a firewall into a black hole to any scan on any interface.  Customer do NOT like it when their firewall shows up on a scan and they can't make it go away. (I've run into this on both R77 and R80)

0 Kudos
PhoneBoy
Admin
Admin

The SK I linked to earlier should resolve that issue.

0 Kudos
Hugo_vd_Kooij
Advisor

Your firewall is also a router. So if there is any server at all visible behind the firewall you will be able to detect the firewall.

Just like you can map the Chinese wall on internet for HTTP traffic.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Prabulingam_N1
Advisor

Yes, it is.

Since customer had an internal server we have steps inorder to remove those hearders of Server.

But CheckPoint SVN header cannot be removed?

Regards, Prabulingam.N

0 Kudos
PhoneBoy
Admin
Admin

We provide no way to remove the banner and as noted in SK, it's expected behavior: Server disclosure on port 18264 

Even if we removed the banner, there are less obvious ways to tell a gateway is Check Point, for example the various ports we use: Ports used by Check Point software 

0 Kudos
Prabulingam_N1
Advisor

Dear Dameon,

Thanks for your inputs.

Regards, Prabulingam.N

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events