Ask Your Question
0

pitney bowes firewall communication issues.

asked 2021-06-27 13:37:12 +0000

dkordyban gravatar image

I have a strange communication issue with a pitney bowes postage machine. It seems a though the PB machine (IP 192.168.125.51) cannot successfully establish TLS when connecting directly through our Palo Alto firewall. If I connect PB machine to LAN side of another linksys NAT device (WAN IP 192.168.125.17) then to Palo Alto firewall it seems to work fine. Any insight or advise would be much appreciated. Not sure how I get the ability to attach pcap files. Thank you

edit retag flag offensive close merge delete

Comments

Upload the capture files to a public share, e.g. Google Drive, DropBox etc, and post a link to them back here.

grahamb gravatar imagegrahamb ( 2021-06-27 13:52:37 +0000 )edit

Make sense. thanks https://garrettcounty-my.sharepoint.c...

dkordyban gravatar imagedkordyban ( 2021-06-27 14:41:32 +0000 )edit

Do you have access to the firewall logs to compare how the firewall handles the sessions?

Chuckc gravatar imageChuckc ( 2021-06-27 17:02:44 +0000 )edit

yes. the firewall separates the pcaps into tx and rx i have uploaded these to same folder. Thank you.

dkordyban gravatar imagedkordyban ( 2021-06-27 17:38:09 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-06-27 21:42:57 +0000

Jim Young gravatar image

updated 2021-06-27 21:50:34 +0000

It appears that the Linksys device as a middle-ware NAT box is reframing the postage machine's traffic ultimately suppressing a superfluous trailing byte included at the end of the postage machine's "Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message" packets.

In the non-working capture, these particular packets will appear to have a "VSS Monitoring Ethernet trailer" (when using a Default Wireshark profile, these frames can be selected with the display filter vssmonitoring).

Note: It is very likely that these captures have no VSS trailer. The heuristic for the VSS trailer dissector is weak and false positives are common. But with the VSS trailer dissector enabled it is sometimes easier to find packets with extraneous trailing data.

In your original non-working capture the postage machine appears to be on the same lan segment as the firewall. The firewall is likely dropping these particular packets because the extraneous trailing byte. Extraneous trailing bytes could be perceived as a covert channel.

In the working capture the Linksys (Cisco) device, serving as a NAT middle-box between the postage-machine and the firewall, does not include the extraneous trailing bytes in the "Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message" packets.

The initial "Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message" packets can be isolated with the following display filter:

(tls.record.content_type == 22) && (tls.handshake.type == 16) && (ip.addr==199.231.0.0/16)

FWIW: In the past I've occasionally found the need to keep a middle-box in place to work around the shortcomings (i.e. bug) in the vendor's implementation of some protocol.

edit flag offensive delete link more

Comments

Thank you Jim for your detailed explanation. I have begun talks with vendor to see if they can disable the VSS ethernet trailer from egressing their machine. Thanks again

dkordyban gravatar imagedkordyban ( 2021-06-28 11:55:54 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-06-27 13:37:12 +0000

Seen: 265 times

Last updated: Jun 27 '21

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2