Create an Account
username: password:
 
  MemeStreams Logo

MemeStreams Discussion

search


This page contains all of the posts and discussion on MemeStreams referencing the following web page: Check Point Outbound Traffic Mystery. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Check Point Outbound Traffic Mystery
by Hijexx at 1:25 am EST, Feb 11, 2006

There's a blurb on the SANS handler's diary about a report of packets leaving a freshly built Check Point firewall. I wonder if this will turn out to be a hoax.

There were rumors long ago that the NSA found an IP address in Check Point code, presumably an artifact of unremoved debug code. If this new report turns out verifiable, I wonder how much truth those past rumors may have had after all.

Surreptitious phone home, faulty debugging, or hoax?

...

Published: 2006-02-10,
Last Updated: 2006-02-10 22:24:05 UTC by Lorna Hutcheson (Version: 1)

One of our readers, Jeff Peterson, submitted to us a packet capture that was coming from a newly built Checkpoint Firewall, Build 244 . Here is what he observed in his own words:

"This file is from a freshly installed Checkpoint Firewall 1 VPN gateway. This machine was off-line until installation was completed and policy pushed.

Once the service starts and the first login attempt is completed the interface of the machine starts blasting the captured information to two targeted destination IP's.....Installation is from a Checkpoint supplied CD."

I did ask about the base OS being a fresh install and here are his comments as well:

"Yes. In fact I've built the server twice from scratch using only the checkpoint supplied CD which includes the OS and Firewall. Ie: SecurePlatform. The outcome was the same both times"

Here is a short synopsis of the traffic being observed:

There are 4 UDP packets being sent to one IP address then switching to the other and sending 4 more. This repeats itself over and over. The one IP 48.28.223.239 doesn't appear to have anything assigned to it but belongs to Prudential Securities Inc. The other IP 152.96.109.99 belongs to:

descr: HSR Hochschule fuer Technik Rapperswil
descr: Rapperswil, Switzerland

Dst Port is 57327/UDP
Src port is 32768

If you would like to see two example packets, you can view them here:
http://isc.sans.org/diaryimages/packets for checkpoint.txt

The issue went away with new CDs being obtained from the vendor.

This is the only report we received about this so far. If you have observed similar traffic or have any ideas, please let us know.


 
RE: Check Point Outbound Traffic Mystery (Build 244)
by Rattle at 5:16 am EST, Feb 11, 2006

One of our readers, Jeff Peterson, submitted to us a packet capture that was coming from a newly built Checkpoint Firewall, Build 244 . Here is what he observed in his own words:

I'm not familiar with Checkpoint software distribution labeling. The only times I've done Checkpoint installs have been in concert with someone manning the preparation end, and always over a network using Jumpstart. Is there anymore identifying information beyond "Build 244" present?

Things that would be helpful to any reasonable analysis:

** Most likely to require a NDA:

1) Disk images of the original software CDs.
2) Information about who the software was shipped to.
3) Postage tracking information contained on the packaging of the software distribution. Scans of the shipping package would be a good start.

** Something Jeff Peterson could make public:

4) Comparison of "Build 244" in this case to other known "Build 244" distributions. Publishing MD5SUM of "Build 244" CDs in question would be enough to further that process.
5) Anything that could place "Build 224" to a time of creation.

Update: Keep in mind, that the destination IPs of the packets are not of (paramount) importance. Any network that either holds in common in its routing over the Internet would be the most interesting point of attention. If a packet traverses over a network, or hits the border of a network, it is visible, and hence identifiable based upon its destination address. Take a look and see the results in this situation...


  
RE: Check Point Outbound Traffic Mystery (Build 244)
by Hijexx at 12:38 pm EST, Feb 11, 2006

Rattle wrote:

Things that would be helpful to any reasonable analysis:

** Most likely to require a NDA:

1) Disk images of the original software CDs.
2) Information about who the software was shipped to.
3) Postage tracking information contained on the packaging of the software distribution. Scans of the shipping package would be a good start.

** Something Jeff Peterson could make public:

4) Comparison of "Build 244" in this case to other known "Build 244" distributions. Publishing MD5SUM of "Build 244" CDs in question would be enough to further that process.
5) Anything that could place "Build 224" to a time of creation.

It is Check Point NGX R60, Secure Platform Build 244 they are speaking of. Secure Platform is their hardened Linux based ISO install of Check Point. I have original media for the major rev, I'm not sure if I have build 244 exactly. I'll install later and check.

Update: Keep in mind, that the destination IPs of the packets are not of (paramount) importance. Any network that either holds in common in its routing over the Internet would be the most interesting point of attention. If a packet traverses over a network, or hits the border of a network, it is visible, and hence identifiable based upon its destination address. Take a look and see the results in this situation...

The 48. address isn't in BGP, but the 152.96.109.99 is, so it could potentially phone home today.

Either way, this is weird shit if it's verifiable. I didn't particularly like the fact that the Provider-1 GUI splash page has three IP addresses used as a graphic (and they weren't RFC-1918 either.) The IP addresses weren't in ARIN or BGP, but it's still like, ok, what kind of message are you trying to send here Check Point?


 
 
Powered By Industrial Memetics