Sometimes within the IT/desktop support teams, they need assistance with tracking these older, & non-compliant hosts. A NAC profiler or IPS can assist with this operations. In this post we will use the IPS feature on a fortigate appliance in order to find the older suspected hosts.
1st how do we find older machines?
You can use the User-Agent found in the client browser or by TCP fingerprinting
NOTE: we will use the User-Agent in this blog
1st, how can we see our user-agent?
A few sites exist to help you to immediately. Follow this link;
( here's my mac-computer user agent )
( here's a Windows8 client )
A proper formated User-Agent string typically has the following fields;
The Mozilla Version type
So if a web client makes an connection to a webserver, it's user-agent string should be in the http-header.
( using curl on a unix host & with the -v option will show you a typical http header )
The above is a simple HTTP-get against worldwide technology webserver ( http://www.wwt.com). Information in this header for both server and client, provides the based on how HTTP works.
Okay, so now we know a client has a user-agent, but is it required?
Will the simple answer is both a yes and no. No where in HTTP RFCs , does it states you have to have a User-Agent or a proper formatted User-Agent for HTTP to work. But some sites will not work or behave improperly & if you have a wrong or improper User-Agent.
Here's a few good example;
A DDoS provider like Prolexic Technologies that I used to work for , has their DDoS protection gear set to drop client_side http_request if they have no User-Agent presented in the HTTP-Header.
The google mail system uses the User-Agent to properly format the http data-presentation for a desktop vrs mobile device web-browser such as iphone/table/etc.... ( you can use the http user-agent switcher dd-on that's available in Firefox to demo straight this behavior )
Some webserver behavior could be different based on the platform type ( in the User-Agent ) and might fail to serve you active pages if you are using the wrong browser.
note: When I worked in the financial sector, we would inspect the User-Agent in the client browser and the ServerLoadBalancer (SLB ) would redirect you to a page that basically said your browser was unsupported and provide the link to the IE browser download.
Some SLB will filter and drop known good or bad webcrawler
Some SLB, WebSecurityAppliances or Proxies, will drop unrecognized User-Agent
NOTE: un recognized User-Agent is sometime a sign of bad activities about to happen or is happening against your webserver
So how can we track and monitor for older machine types?
Easy, we build a few IPS custom signatures and monitor our client outbound traffic to HTTP webservers ( tcp/80 ). You could also filter these clients if you had a proxy device or a webfiltering firewall. ( very easy to do in Squid btw )
Here's a snapshot of just a few older windows clients custom IPS rules that was done on a fortigate 100A
And we apply these into our IPS UTM policy
And we build a new protection profile that reference the name IPS UTM policy & just this single UTM feature of IPS.
And finally you apply a new firewall policy rule, make it the 1st in the picking order and apply that protection profile to the rule(s) that you want inspection for.
The cool thing about this method, you can be specific on the client SRC networks. Maybe you suspect one dept or subnet has older hosts. So you apply the rule matching that client's source subnet.
After you apply the rule and with the protection profile, you sit back and monitor any matches. The log Access > Attack logs, will show you just who matches the rules.
This method is not fool-proof due to the client could switch it's User-Agent or Use some type of Proxy or if the connection is HTTPs we will not see the http-header due to the encryption provided by SSL/TLS.
Keep this thoughts in mind;
- you can either used the IPS pass+log and monitor for these clients
- or be aggressive and drop these clients ( this is good for forcing the older and outdated clients to contact the IT dept for help/assistance )
- The User-Agent can be forged
- You can do the same thing, but inbound to your Server or VIP to drop bad or unsupported clients attempting to access your website
- You an use the IPS log viewer if you enable packet capture to run analysis and fine tune the signatures
Freelance Network/Security Engineer
kfelix -----a----t---- Socpuppets ---dot---com
=( ~ ~ )=