Check Point Outbound Traffic Mystery

Published: 2006-02-10
Last Updated: 2006-02-10 22:24:05 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
One of our readers, Jeff Peterson, submitted to us a packet capture that was coming from a newly built Checkpoint Firewall, Build 244 .  Here is what he observed in his own words:

"This file is from a freshly installed Checkpoint Firewall 1 VPN gateway.  This machine was off-line until installation was completed and policy pushed.

Once the service starts and the first login attempt is completed the interface of the machine starts blasting the captured information to two targeted destination IP's.....Installation is from a Checkpoint supplied CD."

I did ask about the base OS being a fresh install and here are his comments as well:

"Yes.  In fact I've built the server twice from scratch using only the checkpoint supplied CD which includes the OS and Firewall. Ie: SecurePlatform.  The outcome was the same both times"

Here is a short synopsis of the traffic being observed:

There are 4 UDP packets being sent to one IP address then switching to the other and sending 4 more.  This repeats itself over and over.  The one IP 48.28.223.239 doesn't appear to have anything assigned to it but belongs to Prudential Securities Inc.  The other IP 152.96.109.99 belongs to:

descr: HSR Hochschule fuer Technik Rapperswil
descr: Rapperswil, Switzerland

Dst Port is 57327/UDP
Src port is 32768

If you would like to see two example packets, you can view them here:
http://isc.sans.org/diaryimages/packets for checkpoint.txt

The issue went away with new CDs being obtained from the vendor.

This is the only report we received about this so far.  If you have observed similar traffic or have any ideas, please let us know.

Keywords:
0 comment(s)

Comments


Diary Archives