Create an Account
username: password:
 
  MemeStreams Logo

Check Point Outbound Traffic Mystery

search

Hijexx
Picture of Hijexx
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Hijexx's topics
Arts
  Movies
   Documentary
  Electronic Music
Business
  Finance & Accounting
  Telecom Industry
Games
Health and Wellness
Home and Garden
Miscellaneous
  Humor
Current Events
Recreation
Local Information
Science
  Biology
Society
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
  Media
Sports
Technology
  Computer Security
  Linux
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Check Point Outbound Traffic Mystery
Topic: Computer Security 1:25 am EST, Feb 11, 2006

There's a blurb on the SANS handler's diary about a report of packets leaving a freshly built Check Point firewall. I wonder if this will turn out to be a hoax.

There were rumors long ago that the NSA found an IP address in Check Point code, presumably an artifact of unremoved debug code. If this new report turns out verifiable, I wonder how much truth those past rumors may have had after all.

Surreptitious phone home, faulty debugging, or hoax?

...

Published: 2006-02-10,
Last Updated: 2006-02-10 22:24:05 UTC by Lorna Hutcheson (Version: 1)

One of our readers, Jeff Peterson, submitted to us a packet capture that was coming from a newly built Checkpoint Firewall, Build 244 . Here is what he observed in his own words:

"This file is from a freshly installed Checkpoint Firewall 1 VPN gateway. This machine was off-line until installation was completed and policy pushed.

Once the service starts and the first login attempt is completed the interface of the machine starts blasting the captured information to two targeted destination IP's.....Installation is from a Checkpoint supplied CD."

I did ask about the base OS being a fresh install and here are his comments as well:

"Yes. In fact I've built the server twice from scratch using only the checkpoint supplied CD which includes the OS and Firewall. Ie: SecurePlatform. The outcome was the same both times"

Here is a short synopsis of the traffic being observed:

There are 4 UDP packets being sent to one IP address then switching to the other and sending 4 more. This repeats itself over and over. The one IP 48.28.223.239 doesn't appear to have anything assigned to it but belongs to Prudential Securities Inc. The other IP 152.96.109.99 belongs to:

descr: HSR Hochschule fuer Technik Rapperswil
descr: Rapperswil, Switzerland

Dst Port is 57327/UDP
Src port is 32768

If you would like to see two example packets, you can view them here:
http://isc.sans.org/diaryimages/packets for checkpoint.txt

The issue went away with new CDs being obtained from the vendor.

This is the only report we received about this so far. If you have observed similar traffic or have any ideas, please let us know.

Check Point Outbound Traffic Mystery



 
 
Powered By Industrial Memetics
RSS2.0