Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
Bob_Zimmerman
Authority
Authority

Custom Application/Site Findings

For years, I've been wanting to test Check Point's Custom Application/Site objects' matching logic. Finally got a chance to.

Custom App-Site Test Topology.png

/etc/hosts on the client has these two lines added:

 

192.168.5.2     gooddomain.local subdomain.gooddomain.local
192.168.5.2     baddomain.local gooddomain.local.baddomain.local subdomain.gooddomain.local.baddomain.local

 

I built a self-signed certificate on the server and set up httpd(8) to serve a simple page via both HTTP and HTTPS using that self-signed cert. I build a small KSH script on the client with my test cases:

 

#!/bin/ksh
set -A domainsList "http://gooddomain.local/" \
"https://gooddomain.local/" \
"http://gOoDdOmAiN.lOcAl/" \
"https://gOoDdOmAiN.lOcAl/" \
"http://gooddomain.local:80/" \
"https://gooddomain.local:443/" \
"http://gOoDdOmAiN.lOcAl:80/" \
"https://gOoDdOmAiN.lOcAl:443/" \
"http://subdomain.gooddomain.local/" \
"https://subdomain.gooddomain.local/" \
"http://baddomain.local/" \
"https://baddomain.local/" \
"http://gooddomain.local.baddomain.local/" \
"https://gooddomain.local.baddomain.local/" \
"http://subdomain.gooddomain.local.baddomain.local/" \
"https://subdomain.gooddomain.local.baddomain.local/" \
"http://baddomain.local/gooddomain.local/" \
"http://gooddomain.local:password@baddomain.local/" \
"http://user:gooddomain.local@baddomain.local/" \
"http://baddomain.local/gooddomain.local" \
"http://baddomain.local/gooddomain.local/" \

for domain in ${domainsList[*]}; do
printf "%60s: " $domain
curl -k "$domain" >/dev/null 2>/dev/null
exitCode=$?
if [ $exitCode -eq 0 ]; then
echo "Success"
else
echo "   Fail ${exitCode}"
fi
done

 

And finally, I set up the policy on the firewall (standalone, R81.10 jumbo 94) in the middle. Here it is in abbreviated form:

 

"rulebase" : [ {
	"rule-number" : 1,
	"source" : [ "Any" ],
	"destination" : [ "Any" ],
	"service" : [ "GoodDomain" ],
	"action" : "Accept",
}, {
	"rule-number" : 2,
	"source" : [ "Any" ],
	"destination" : [ "Internet" ],
	"service" : [ "Any" ],
	"action" : "Accept",
}, {
	"rule-number" : 3,
	"source" : [ "ClientNet", "ServerNet" ],
	"destination" : [ "Outside Private (to reach my NTP server)" ],
	"service" : [ "Any" ],
	"action" : "Accept",
}, {
	"rule-number" : 4,
	"source" : [ "Any" ],
	"destination" : [ "Any" ],
	"service" : [ "SSH" ],
	"action" : "Accept",
}, {
	"rule-number" : 5,
	"source" : [ "Any" ],
	"destination" : [ "Any" ],
	"service" : [ "Any" ],
	"action" : "Drop",
} ]

 

"GoodDomain" is the Application/Site object I built for testing. HTTPS Inspection is not set up.

With the first rule's Application/Site object set to match "gooddomain.local" not as a regular expression:

 

obsd-client# ./domainTest.sh
                                    http://gooddomain.local/: Success
                                   https://gooddomain.local/: Success
                                    http://gOoDdOmAiN.lOcAl/: Success
                                   https://gOoDdOmAiN.lOcAl/: Success
                                 http://gooddomain.local:80/: Success
                               https://gooddomain.local:443/: Success
                                 http://gOoDdOmAiN.lOcAl:80/: Success
                               https://gOoDdOmAiN.lOcAl:443/: Success
                          http://subdomain.gooddomain.local/:    Fail 56
                         https://subdomain.gooddomain.local/:    Fail 35
                                     http://baddomain.local/:    Fail 56
                                    https://baddomain.local/:    Fail 35
                    http://gooddomain.local.baddomain.local/: Success
                   https://gooddomain.local.baddomain.local/: Success
          http://subdomain.gooddomain.local.baddomain.local/:    Fail 56
         https://subdomain.gooddomain.local.baddomain.local/:    Fail 35
                    http://baddomain.local/gooddomain.local/:    Fail 56
           http://gooddomain.local:password@baddomain.local/:    Fail 56
               http://user:gooddomain.local@baddomain.local/:    Fail 56
                     http://baddomain.local/gooddomain.local:    Fail 56
                    http://baddomain.local/gooddomain.local/:    Fail 56

 

Not great. It allows some potential phishing domains.

With the Application/Site object set to match "gooddomain.local/":

 

obsd-client# ./domainTest.sh                                                   
                                    http://gooddomain.local/: Success
                                   https://gooddomain.local/:    Fail 35
                                    http://gOoDdOmAiN.lOcAl/: Success
                                   https://gOoDdOmAiN.lOcAl/:    Fail 35
                                 http://gooddomain.local:80/: Success
                               https://gooddomain.local:443/:    Fail 35
                                 http://gOoDdOmAiN.lOcAl:80/: Success
                               https://gOoDdOmAiN.lOcAl:443/:    Fail 35
                          http://subdomain.gooddomain.local/:    Fail 56
                         https://subdomain.gooddomain.local/:    Fail 35
                                     http://baddomain.local/:    Fail 56
                                    https://baddomain.local/:    Fail 35
                    http://gooddomain.local.baddomain.local/:    Fail 56
                   https://gooddomain.local.baddomain.local/:    Fail 35
          http://subdomain.gooddomain.local.baddomain.local/:    Fail 56
         https://subdomain.gooddomain.local.baddomain.local/:    Fail 35
                    http://baddomain.local/gooddomain.local/:    Fail 56
           http://gooddomain.local:password@baddomain.local/:    Fail 56
               http://user:gooddomain.local@baddomain.local/:    Fail 56
                     http://baddomain.local/gooddomain.local:    Fail 56
                    http://baddomain.local/gooddomain.local/:    Fail 56

 

Worse, as it doesn't allow HTTPS.

 

Would anybody like to see other URLs tested? I plan to explore other matching expressions, and I plan to try to enable HTTPS Inspection.

Edit: I realized I should include the exit codes in case some failures are for things other than connectivity being prevented. And of course, I discovered that subdomain.gooddomain.local.baddomain.local was failing to resolve, so I added that to /etc/hosts on the client. Modifications made to the hosts file, the script, and the results above.

Edit 2: Added some phishy paths to the script and the results.

Who rated this post