Solved

ISA 2006 HTTPS publishing reveals PRIVATE IP assigned to the NIC

Posted on 2008-06-16
11
1,225 Views
Last Modified: 2012-06-22
I have an ISA 2006 server in a DMZ behind a PIX firewall.
The ISA server has a private IP assigned to it's NIC.
The PIX is NATing the private IP behind a public IP.
Everything works perfect how it should.

The ISA server is HTTPS publishing a LINUX APACHE server
When scanning the PUBLIC IP from the OUTSIDE of the network (via Internet) with Nessus, the scanner is able to determine the PRIVATE IP address of the ISA SERVER (not the published web server).

I've tested adjusting the firewall to NAT directly to the Apache Web server.  The same scan does NOT reveal the IP address.  This is definately something that the ISA 2006 server is leaking.

I have been unable to find any security procedures/fixes to stop this problem.
Ideas?

The fixes I've found for this type problem are related to IIS, but NOT ISA.

thanks.
0
Comment
Question by:mike_virgilio
  • 4
  • 3
11 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 21841915
What type of scan is being done that shows the private IP address of the ISA box?
0
 

Author Comment

by:mike_virgilio
ID: 21847030
When I scan the PUBLIC IP with Nessus (http://www.nessus.org/nessus/), it is able to get the PRIVATE IP address from the HTTPS port.    If I setup the webserver to be directly connected with a NAT and scan the published web server directly, it does NOT reveal the private IP.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 21847253
What happens if you run the same scan as just plain HTTP?

My thought is that ISA is putting a "via" type header in the HTTP stream and putting it's IP address.  Some proxy servers do this and in this case ISA is acting like a proxy server.

If you see the "leak" in plain HTTP, then you can look at the actual data stream with a packet sniffer and see what the ISA box is doing.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 57

Expert Comment

by:giltjr
ID: 21847298
0
 

Author Comment

by:mike_virgilio
ID: 21863011
After trying to adjust headers via ISA server, I was unable to fix the problem.  I DID come up with a solution by adjusting the service policies on the PIX to SPOOF the HTTP/HTTPS Server headers for inbound connections to the ISA public address (I'm using 8.0 software on Pix 515)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 21864155
I would like a bit more on the solution, as I am confused.  I can see how the PIX can spoof the HTTP headers, but the headers for a https stream should be encrypted and the PIX would never be able to see them.  Can you provide more information on how you got the pix to change encrypted data?
0
 

Accepted Solution

by:
mike_virgilio earned 0 total points
ID: 21866188
The headers must be transmitted BEFORE the certificate exchange occurs

From PIX Configuration:
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https

access-list outside_mpc extended permit tcp any host 57.14.22.434 object-group DM_INLINE_TCP_5

class-map outside-class1
 match access-list outside_mpc

policy-map type inspect http HTTP_Server-Spoof
 parameters
  spoof-server "www.mydomain.com"

policy-map outside-policy
 description chi-pubisa
 class outside-class1
  inspect http HTTP_Server-Spoof
=================
I did an additional test to make sure it was the HTTPS protocol leaking the IP.  I adjusted the PIX to ONLY spoof on HTTP. (NOT HTTPS)
After scanning, I WAS able to get the private IP again.
It SAYS HTTP in the description, but is detected on the HTTPS port.
---------------
Private IP address leaked in HTTP headers

Synopsis :

This web server leaks a private IP address through its HTTP headers.

Description :

This may expose internal IP addresses that are usually hidden or masked
behind a Network Address Translation (NAT) Firewall or proxy server.

There is a known issue with IIS 4.0 doing this in its default configuration.

See also :

http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP
See the Bugtraq reference for a full discussion.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin output :

This web server leaks the following private IP address : 192.168.110.14
CVE : CVE-2000-0649
BID : 1499

Nessus ID : 10759
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question