Solved

ISA 2006 HTTPS publishing reveals PRIVATE IP assigned to the NIC

Posted on 2008-06-16
11
1,234 Views
Last Modified: 2012-06-22
I have an ISA 2006 server in a DMZ behind a PIX firewall.
The ISA server has a private IP assigned to it's NIC.
The PIX is NATing the private IP behind a public IP.
Everything works perfect how it should.

The ISA server is HTTPS publishing a LINUX APACHE server
When scanning the PUBLIC IP from the OUTSIDE of the network (via Internet) with Nessus, the scanner is able to determine the PRIVATE IP address of the ISA SERVER (not the published web server).

I've tested adjusting the firewall to NAT directly to the Apache Web server.  The same scan does NOT reveal the IP address.  This is definately something that the ISA 2006 server is leaking.

I have been unable to find any security procedures/fixes to stop this problem.
Ideas?

The fixes I've found for this type problem are related to IIS, but NOT ISA.

thanks.
0
Comment
Question by:mike_virgilio
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
11 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 21841915
What type of scan is being done that shows the private IP address of the ISA box?
0
 

Author Comment

by:mike_virgilio
ID: 21847030
When I scan the PUBLIC IP with Nessus (http://www.nessus.org/nessus/), it is able to get the PRIVATE IP address from the HTTPS port.    If I setup the webserver to be directly connected with a NAT and scan the published web server directly, it does NOT reveal the private IP.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 21847253
What happens if you run the same scan as just plain HTTP?

My thought is that ISA is putting a "via" type header in the HTTP stream and putting it's IP address.  Some proxy servers do this and in this case ISA is acting like a proxy server.

If you see the "leak" in plain HTTP, then you can look at the actual data stream with a packet sniffer and see what the ISA box is doing.
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 
LVL 57

Expert Comment

by:giltjr
ID: 21847298
0
 

Author Comment

by:mike_virgilio
ID: 21863011
After trying to adjust headers via ISA server, I was unable to fix the problem.  I DID come up with a solution by adjusting the service policies on the PIX to SPOOF the HTTP/HTTPS Server headers for inbound connections to the ISA public address (I'm using 8.0 software on Pix 515)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 21864155
I would like a bit more on the solution, as I am confused.  I can see how the PIX can spoof the HTTP headers, but the headers for a https stream should be encrypted and the PIX would never be able to see them.  Can you provide more information on how you got the pix to change encrypted data?
0
 

Accepted Solution

by:
mike_virgilio earned 0 total points
ID: 21866188
The headers must be transmitted BEFORE the certificate exchange occurs

From PIX Configuration:
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https

access-list outside_mpc extended permit tcp any host 57.14.22.434 object-group DM_INLINE_TCP_5

class-map outside-class1
 match access-list outside_mpc

policy-map type inspect http HTTP_Server-Spoof
 parameters
  spoof-server "www.mydomain.com"

policy-map outside-policy
 description chi-pubisa
 class outside-class1
  inspect http HTTP_Server-Spoof
=================
I did an additional test to make sure it was the HTTPS protocol leaking the IP.  I adjusted the PIX to ONLY spoof on HTTP. (NOT HTTPS)
After scanning, I WAS able to get the private IP again.
It SAYS HTTP in the description, but is detected on the HTTPS port.
---------------
Private IP address leaked in HTTP headers

Synopsis :

This web server leaks a private IP address through its HTTP headers.

Description :

This may expose internal IP addresses that are usually hidden or masked
behind a Network Address Translation (NAT) Firewall or proxy server.

There is a known issue with IIS 4.0 doing this in its default configuration.

See also :

http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP
See the Bugtraq reference for a full discussion.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin output :

This web server leaks the following private IP address : 192.168.110.14
CVE : CVE-2000-0649
BID : 1499

Nessus ID : 10759
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question