Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
geirh
Explorer

Logical Servers Object easy to manipulate with local host file

Hi 

We have created a Logical Servers objects to Load Balance to our back-end web servers. Everything works fine, however it is easy to manipulate with local host file if you know the internal web servers DNS name.

The Logical server is setup with an public ip and DNS name and do NAT to internal back-end web servers, however if you knew the DNS name for internal web server and manipulate the local host file where you put in the public ip and the name for internal web server you will be routed trough the Logical Server, there will be CA error but it works.

Here is the guide we followed: https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_NextGenSecurityGateway_Guide... 

We have tried to block using Https Inspection for incoming traffic,  but this tool is useless and we also expected that R80.40 had higher TLS value (TLS 1.0 as min.??) and stronger Chipers since Https Inspection takes over as front end web server for security.

The Https Inscetion rule should have blocked incoming traffic if the Web browser presented wrong SNI.

Applications & URL filters does not work either together with Logical server Objects, we receives some Layer error.

Please advise.

 

 

 

 

0 Kudos
Reply
3 Replies
G_W_Albrecht
Champion
Champion

I would suggest to involve TAC asap to get the issue resolved ! But honestly - why did you have to manipulate the local host file at all ? It should be very hard to manipulate the local host file in a secured production evironment...

0 Kudos
Reply
PhoneBoy
Admin
Admin

Manipulate the host file on what machine precisely?
Are you sure that HTTPS Inspection is actually activating in this case?

0 Kudos
Reply
geirh
Explorer

First of all Https Inspection is turned on and activated on the FW.

We are trying to create a Load balancer for our internal Kubernetes Cluster, the Kubernetes Cluster has internal and external DNS.

The FW rule is a follow:

Source

Dest

NAT ip

service

Action

Any

Logical SRV Public ip 85.x.x.x DNS:Api.Contoso.Com

Nat ip internal web servers10.x.x.101-102 DNS inside: Admin.K8s.local.Com

Https

Allow

As you see, if you from internet know the internal DNS names, (Admin.K8s.local.Com) and from a laptop update the host file like this: 85.241.20.85  Admin.K8s.local.Com, this rule above will not stop you, you receive a CA error. The Logical Server Object should had an option to use URL and not public ip only.

The problem is, if you do as described over, you reach out to Kubernetes Admin page,

 

 

0 Kudos
Reply