During the past year, the Passive Vulnerability Scanner's rules were modified to detect network proxies and firewalls. This process also involved the reduction of reporting multiple browser types for different hosts running behind a NAT device or proxy.

As an example, what happens if PVS (or any sniffer, IDS, etc.) see's the following string in a packet leaving the network?


GET/StageOne/msnmsgr_exe/6_2_0_137/hungapp/0_0_0_0/00000000.htm?OS=5.1.2600.2.00010300.1.0&...
User-Agent: MSDW
Host: watson.microsoft.com

Well, most folks would think that:

1. The source IP is running MS Windows version 5.1.2600.2.etc and,
2. An error just occurred in MSN Messenger version 6.20.0.137 and,
3. The client is now sending an error message to Microsoft

nd, a year ago, the PVS would have flagged the machine for the items denoted above. However, within the last six months, Tenable has been undergoing a process of detecting where and why false positives are occurring within PVS. One of the problem areas was that PVS was flagging firewalls and proxies as the actual client. Mind you, I'm not talking about known NAT devices, as you can always turn off alerts going to/from those devices via the configuration file.

We decided to find a generic way of detecting proxies and firewalls on the network. The primary goal of this was to weed out false positives. A tangential benefit has been that companies can now detect firewalls and proxies that are deep within their corporate network.

more on http://blog.tenablesecurity.com/2006/10/proxyfirewall_d.html