You knew it was bound to happen at some point. When Nokia announced that they were getting out of the security business a lot of people, myself included, figured that another vendor would be buying them. Nortel doesn’t have the money or financial stability to pick up a division of this size, Juniper is too focused on their switching business right now and is still trying to justify the money they dropped on the NetScreen acquisition, Enterasys wasn’t in the running, and Cisco didn’t care.

That leaves Nokia’s number one competitor for appliance based Check Point installations – Check Point. Check Point has the money, the support organization, and the know how to easily integrate the Nokia brand name of appliances into their current price list.

From the Check Point press release:

Check Point Software Technologies Ltd. (Nasdaq: CHKP), the worldwide leader in securing the Internet, today announced that it has signed an agreement to acquire Nokia’s security appliance business. The two businesses have collaborated over the past decade to deliver industry-leading enterprise security solutions. Building on this collaboration, Check Point will provide an extended security appliance portfolio developed, manufactured and supported by Check Point.

“As a pioneer in security appliances, the Nokia security appliance business has been an important strategic partner for Check Point and has helped us achieve early leadership in the security appliance market,” said Gil Shwed, Chairman and CEO at Check Point. “Adding Nokia’s security appliance portfolio into Check Point’s broad range of security solutions is the natural conclusion of our long collaboration, and will assure a smooth path forward for our mutual customers.”

I think this is a good move for Check Point. I hope, however, that they didn’t purchase the company just to bury it’s product line in favor of their own SecurePlatform appliance line. I’m also glad that my book will continue to be valid 🙂

Something strange happened the other day. While reviewing my enterprise logs in our evaluation QRadar SIEM solution (nice plug right?) I noticed that an internal IP address was scanning the internal IP address of our firewall cluster. The source port remained the same but the destination port incremented by one with each scan. After digging deeper, I was able to determine the MAC address of the offending device and, to my surprise, it was an HP Color LaserJet 2600n printer installed on the desk of one of our VPs. I immediately told him what was going on and he preceded to tell me that this particular printer had previously resided on the desk of our CEO and had been on the network for over a year.

This was about the time my thoughts went into “incident handling” mode…

Was there a rootkit on this printer?

What about a back door or trojan?

Did this printer obtain any sensitive information and send it out to a third party?

I’ve got to get this thing into the lab, pronto!

I confiscated the printer, set it up in the lab (which has it’s own external Internet link) attached to a hub, and plugged a laptop with a packet sniffer running on it. I figured that this would buy me some time to do some more research.

The printer model in question did not, after some research, have any servers running other than the default web interface. Some models did have a telnet server available but this model did not. That made me feel a tiny bit better but still not confident that things were OK.

I stumbled upon the following article which provided step-by-step disassembly of the HP Color LaserJet 2600n. This showed me that the printer did not have a hard drive and led me to believe that if this printer had been compromised it would have probably occurred either at the factory or by someone who was able to get into the guts of the printer. I decided to search for any other similarly reported issues using Google. No one had reported factory default installations of the printer doing anything out of the ordinary.

I then, somehow, stumbled upon an article entitled Using a JetDirect box as an Nmap Idlescan Zombie. From the article:

While I’m on the topic of Nmap and JetDirect boxes, they make great bouncers for stealth Idle scans (also know as Zombie scans) since their IPIDs are incremental. Basically what happen is the Nmap scan is bounced off of the JetDirect box and any logs on the target will show the IP of the JetDirect box as being the attacker.

The author, Adrian “Irongeek” Crenshaw, also provided an example of how to run the scan:

Here is an example of Nmap being run using a JetDirect box as a bouncer. I’ve used the -P0 option so that the host running Nmap does not ping the target first, lessening the stealth value by giving away the scanners true IP.
Irongeek:~# nmap -P0 -sI 192.168.1.93 Irongeek.irongeek.com

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-08 17:22 EDT
Idlescan using zombie 192.168.1.93 (192.168.1.93:80); Class: Incremental
Interesting ports on 192.168.1.5:
(The 1654 ports scanned but not shown below are in state: closed|filtered)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
587/tcp open submission

Nmap finished: 1 IP address (1 host up) scanned in 35.262 seconds
Irongeek:~#

Now this sounded like a more reasonable explanation of the anomaly. I informed the “powers-that-be” and let the printer run in the lab for several days with the sniffer connected to it. I did not see any anomalous behavior. I then tried to run the above scan, using the printer as the bouncer, and the results were exactly as expected.

The printer was placed back on the network but I continue to keep a close eye on the IP/MAC in our logs because…you never know.