- CheckMates
- :
- Products
- :
- General Topics
- :
- Vulnerability on CheckPoint Banner disclosure
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vulnerability on CheckPoint Banner disclosure
Dear All,
I have a customer reporting on VA report with below:
Banner Disclosure: Fingerprinting
Per their VA scan - Outside Scan done on External IP of Firewall on Port:443
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HTTP/1.0 404 Not found
Date: Thu, 21 Oct 2017 17:17:50 GMT
Server: Check Point SVN Foundation
Conten-Type: text/html
X-UA-Compatible: IE-EmulateIE7
Conenction: Close
X-Frame-Options: SAMEORIGIN
Last-Modified: Sat, 17 Jan 2015 19:00:00 GMT
Content-Length: 204
<HTML>
<HEAD>
<TITLE>404 File Not Found >/TITLE>
</HEAD>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Per above, it means that External person knows that the organisation is Protected by CheckPoint Firewall and can focus on some accurate methods inorder to enter internal networks.
So customer would like to make the Banner display: CheckPOint SVN Foundation to be masked.
Is there any possibility?
Note: Customer do not have IPS Blade
Scan has done using Burp Suite Tool v1.7.03 Free edition
Any response would be helpful.
Regards, Prabulingam.N
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using any features that require the gateway to be accessed on port 443 externally?
If not, you might want to prevent access to it entirely.
See: HTTP and HTTPS requests to external interfaces create implied rule 0 accepts in SmartView Tracker
As far as I know, there is no way to change the banner in this situation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would also point out that I have yet to find a way to make a gateway invisible on port 43. Even with implied rules off, and an explicit rule blocking port 43, it still shows up in scans. Traffic to 43 does get BLOCKED, but the port is still VISIBLE. Why the daemon is responding in any way when I've written an explicit stealth rule is beyond me and something I wish Check Point would fix. (Why is it sending an ACK? The SYN should die in the kernel.) It's a security device - we need to have the ability to make any port completely dark. Yeah, I know, the Big Boys want "ease of use." But, seriously, we should be able to turn a firewall into a black hole to any scan on any interface. Customer do NOT like it when their firewall shows up on a scan and they can't make it go away. (I've run into this on both R77 and R80)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The SK I linked to earlier should resolve that issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your firewall is also a router. So if there is any server at all visible behind the firewall you will be able to detect the firewall.
Just like you can map the Chinese wall on internet for HTTP traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is.
Since customer had an internal server we have steps inorder to remove those hearders of Server.
But CheckPoint SVN header cannot be removed?
Regards, Prabulingam.N
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We provide no way to remove the banner and as noted in SK, it's expected behavior: Server disclosure on port 18264
Even if we removed the banner, there are less obvious ways to tell a gateway is Check Point, for example the various ports we use: Ports used by Check Point software
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Dameon,
Thanks for your inputs.
Regards, Prabulingam.N