Tuesday, June 24, 2014

Using a fortigate firewall to find and monitor for older WindowsOS by writing a IPS rule

In this blog we will look at one method for finding older windows clients. Windows has involved from  the simple MS-DOS to now Window8. Older  clients should be terminated  from operating on a modern network due to the security risk and lack of support by MS. The unsupported window hosts should also be tracked and monitor and remediated by upgrading to a modern OS.

Sometimes within the IT/desktop support teams, they need assistance with tracking these older, &  non-compliant hosts. A NAC profiler or IPS can assist with this operations. In this post we will use the IPS feature on a fortigate appliance  in order to find the older suspected hosts.

1st how do we find older machines?

You can use the  User-Agent found in the  client browser or  by TCP fingerprinting

NOTE: we will use the  User-Agent in this blog

1st, how can we see our user-agent? 

A few sites exist  to help you to immediately. Follow this link;

( here's my  mac-computer user agent )

 ( here's an Android  google tablet )

 ( here's a Windows8 client )

A proper formated User-Agent string typically has the following fields;

The Mozilla Version  type
Product Type

So if a web client makes an connection to a webserver, it's user-agent string should be in the http-header.

( using curl on a unix host &  with the -v option  will show you a typical http header )

The above is a simple HTTP-get against worldwide technology webserver ( http://www.wwt.com). Information in this header for both server and client, provides the based on how  HTTP works.

Okay, so now we know a client has a user-agent, but is it required? 

Will the simple answer is both a yes and no. No where in HTTP RFCs , does it  states you have to have a User-Agent or a proper formatted User-Agent for HTTP to work. But some sites will not work or behave improperly & if you have a wrong or improper User-Agent.

Here's a few good example;

A  DDoS provider like Prolexic  Technologies that I used to work for , has their DDoS protection gear set to drop  client_side http_request if they have no User-Agent presented in  the  HTTP-Header.

The google mail system uses the  User-Agent to properly format the http data-presentation  for a desktop vrs mobile device web-browser such as  iphone/table/etc.... ( you can use the http user-agent  switcher dd-on that's available in  Firefox to demo straight this  behavior )

Some webserver behavior could be different based on the platform type ( in the User-Agent ) and might fail to serve you active pages if you are using the wrong browser.

note:   When I worked in the financial sector, we would inspect the User-Agent in the client  browser and the  ServerLoadBalancer (SLB ) would redirect you to a page that basically said your browser was unsupported and provide the link to the IE browser download.

Some SLB will filter and drop known good or bad  webcrawler

Some SLB, WebSecurityAppliances or Proxies, will drop unrecognized User-Agent

NOTE: un recognized User-Agent is sometime a sign of bad  activities about to happen or is happening against your webserver

So how can we track and monitor for older machine types?

Easy, we  build a few IPS custom signatures and monitor  our client outbound  traffic to HTTP webservers ( tcp/80 ). You could also filter these clients if you had a proxy device or a webfiltering  firewall. ( very easy to do in Squid btw )

Here's a snapshot of just a few older windows clients custom IPS rules that was done on a fortigate 100A

And we apply these into our  IPS UTM policy

And we build a new protection profile that reference the name IPS UTM  policy & just this single UTM feature  of IPS.

And finally you apply a new firewall policy rule, make it the 1st in the picking order and apply that protection profile to the rule(s) that you want inspection for.

The cool thing about this method, you can be specific on the client SRC networks. Maybe you suspect one dept or subnet has older hosts. So you apply the rule matching that client's source subnet.

After you apply the rule and with the protection profile, you sit back and monitor any matches. The log Access > Attack logs, will show you just who matches the rules.

This method is not fool-proof due to the client could  switch it's User-Agent or Use some type of Proxy or if the connection is HTTPs we will not see the http-header due to the encryption provided by SSL/TLS.


Keep this thoughts in mind;

  •    you can either used the IPS pass+log and monitor for these clients
  •    or be aggressive and drop these clients ( this is good for forcing the older and outdated  clients to contact the IT dept for help/assistance  )
  •    The User-Agent can be forged
  •    You can do the same thing, but inbound to your Server or VIP to drop bad or unsupported clients attempting to access your website
  •  You an use the  IPS log viewer if you enable packet capture to run analysis and fine tune the signatures
( snippet of a packet capture  in hex+ascii )

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- Socpuppets ---dot---com

   ^    ^
=( ~ ~ )=
     /  \


  1. When will you be doing another article on this subject? 

    desktop support hertfordshire

  2. Not yet, but I was going to get a windows 3.1 installation setup & to add a IPS-signature for that ancient OS.

  3. You might be eligible to get a free Apple iPhone 7.