Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ISA 2006 HTTPS publishing reveals PRIVATE IP assigned to the NIC

Posted on 2008-06-16
11
Medium Priority
?
1,245 Views
Last Modified: 2012-06-22
I have an ISA 2006 server in a DMZ behind a PIX firewall.
The ISA server has a private IP assigned to it's NIC.
The PIX is NATing the private IP behind a public IP.
Everything works perfect how it should.

The ISA server is HTTPS publishing a LINUX APACHE server
When scanning the PUBLIC IP from the OUTSIDE of the network (via Internet) with Nessus, the scanner is able to determine the PRIVATE IP address of the ISA SERVER (not the published web server).

I've tested adjusting the firewall to NAT directly to the Apache Web server.  The same scan does NOT reveal the IP address.  This is definately something that the ISA 2006 server is leaking.

I have been unable to find any security procedures/fixes to stop this problem.
Ideas?

The fixes I've found for this type problem are related to IIS, but NOT ISA.

thanks.
0
Comment
Question by:mike_virgilio
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
11 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 21841915
What type of scan is being done that shows the private IP address of the ISA box?
0
 

Author Comment

by:mike_virgilio
ID: 21847030
When I scan the PUBLIC IP with Nessus (http://www.nessus.org/nessus/), it is able to get the PRIVATE IP address from the HTTPS port.    If I setup the webserver to be directly connected with a NAT and scan the published web server directly, it does NOT reveal the private IP.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 21847253
What happens if you run the same scan as just plain HTTP?

My thought is that ISA is putting a "via" type header in the HTTP stream and putting it's IP address.  Some proxy servers do this and in this case ISA is acting like a proxy server.

If you see the "leak" in plain HTTP, then you can look at the actual data stream with a packet sniffer and see what the ISA box is doing.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 57

Expert Comment

by:giltjr
ID: 21847298
0
 

Author Comment

by:mike_virgilio
ID: 21863011
After trying to adjust headers via ISA server, I was unable to fix the problem.  I DID come up with a solution by adjusting the service policies on the PIX to SPOOF the HTTP/HTTPS Server headers for inbound connections to the ISA public address (I'm using 8.0 software on Pix 515)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 21864155
I would like a bit more on the solution, as I am confused.  I can see how the PIX can spoof the HTTP headers, but the headers for a https stream should be encrypted and the PIX would never be able to see them.  Can you provide more information on how you got the pix to change encrypted data?
0
 

Accepted Solution

by:
mike_virgilio earned 0 total points
ID: 21866188
The headers must be transmitted BEFORE the certificate exchange occurs

From PIX Configuration:
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https

access-list outside_mpc extended permit tcp any host 57.14.22.434 object-group DM_INLINE_TCP_5

class-map outside-class1
 match access-list outside_mpc

policy-map type inspect http HTTP_Server-Spoof
 parameters
  spoof-server "www.mydomain.com"

policy-map outside-policy
 description chi-pubisa
 class outside-class1
  inspect http HTTP_Server-Spoof
=================
I did an additional test to make sure it was the HTTPS protocol leaking the IP.  I adjusted the PIX to ONLY spoof on HTTP. (NOT HTTPS)
After scanning, I WAS able to get the private IP again.
It SAYS HTTP in the description, but is detected on the HTTPS port.
---------------
Private IP address leaked in HTTP headers

Synopsis :

This web server leaks a private IP address through its HTTP headers.

Description :

This may expose internal IP addresses that are usually hidden or masked
behind a Network Address Translation (NAT) Firewall or proxy server.

There is a known issue with IIS 4.0 doing this in its default configuration.

See also :

http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP
See the Bugtraq reference for a full discussion.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin output :

This web server leaks the following private IP address : 192.168.110.14
CVE : CVE-2000-0649
BID : 1499

Nessus ID : 10759
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question