Please, if this is not the right place, tell me where I should send this question.
A TWAIN driver installed in a workstation uses remote shell (RSH) to connect to a multifunction printer in other subnet in order to scan through the network. A Checkpoint firewall routes packets between both networks and the right ACLs have been configured.
The first command sent by the workstation instructs the MFP to redirect standard error (stderr) console to port 1022. After exchanging usernames, then the next TCP stream appears:
As you can see, TCP connection is created by MFP_Printer. After syncing, I would expect that frame 13 should be MFP_Printer transmitting data to Scanning_WS, but it is not, it’s just the opposite.
The firewall (the IPS, I guess) is dropping this packet, reporting “Violated unidirectional connection”. TCP Retransmissions work as expected until the connection is eventually reset.
So the questions are:
After correct TCP three-way handshake, the peer which sent the TCP SYN should be the peer transmiting data. Is it right?
Is this remote shell behaviour a non-standard behaviour?
Is it a wrong design related to the driver or to the linix running in the MFP?
I need to understand what’s happening in order to provide some solution, so any information will be greatly appreciated.
asked 27 Sep ‘13, 02:53
edited 30 Sep ‘13, 14:41
I'm not sure how the RSH protocol should look, but I suspect that the twain driver is not using the remote shell protocol, or at least not a compliant version of it. So if you instruct your checkpoint firewall (or the IDS) to interpret the data as RSH, then you might run into a violation.
Can you disable the protocol inspection and just let the traffic through based on the TCP ports.
answered 30 Sep '13, 15:02