QID 34011 - How does QualysGuard detect Firewalls?
When there is no firewall between the scanner and the target host, all TCP packets sent by the scanner to the target host should trigger a reply packet from the target host. When there is a firewall, this is no longer true. There are two general firewall behaviors that we rely on for this detection:
- No reply (silently dropped)
- Connection reset (RST)
With regard to the first behavior, some firewalls will drop TCP SYN packets sent to certain ports. In this case, the TCP SYN packets sent by the scanner to these ports will not generate a reply. So when we send SYN packets to the target host and do not receive a reply, we know there is a firewall.
With regard to the second behavior, other firewalls will respond to TCP SYN packets sent to certain ports with RST packets on behalf of the target host. To detect this type of firewall, we analyze the TTL values of the RST reply packets (from the firewall) and the SYN-ACK packets (from the target host). This method requires that the firewall allows SYN packets to some ports to go through and reach the target hosts while reseting SYN packets to other ports on behalf of the target host.
Our detection of the firewall should be quite reliable. But false positives can come when the network conditions are bad leading to packets being dropped.