From: Demetrio Carrión (demetrio.carrion@gmail.com)
Date: Fri May 06 2005 - 15:19:38 EDT
Hi,
I think of a particular case where you are able to sniff layer two
traffic in the firewall segment and this firewall is an
appliance-based one.
Would it possible to discover the firewall vendor by correlating the
firewall MAC layer address and the OUI, then someone could narrow the
firewall to a specific vendor and possible versions?
Just guessing.
Cheers,
Demetrio Carrion
IT Security Consultant
On 4/8/05, Byron L. Sonne <blsonne@rogers.com> wrote:
>
> > We all know that, we can identify firewall using various methods and tools like "firewalk".
> > Is there any method or tool available which will remotely fingerprint and enumerate rule
> > base configured on the firewall?
>
> Well, more accurately put firewalk does not identify firewalls as much
> as it enumerates what kind of traffic will be passed as well as allowing
> you to figure out ACLs in use.
>
> Generally speaking I don't think you'll be able to come up with
> something along the lines of nmap that will allow you to determine what
> kind of firewall is in place. Certainly not reliably for all firewalls
> and in all situations; there's just to much variability in how rules can
> be configured or traffic scrubbed.
>
> What I do think is possible is the creation of a tool that will narrow
> the field down to a group of firewalls.
>
> However, I suppose that for peculiar situations, either from grievous
> design error or peculiar configurations, certain firewalls might stick
> out like a sore thumb. But my suspicions are that would be rare.
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:20 EDT