Security Basics mailing list archives
Out of my league...
From: Harlan Carvey <keydet89 () yahoo com>
Date: Fri, 9 Jan 2004 05:51:41 -0800 (PST)
Jeff,
He'd set up the network with a Symantec VPN/Firewall
appliance as the external gateway, but had opened
up
ports to a server inside the network which is
currently
hosting the email server (Xmail), DNS, as well as a simple web app to do web-mail checking for employees
from the outside. Also opened ports for ssl, termserver, ftp, smtp, and pop3, and another port
for
remote admin.
First piece of advice...disable the ports that are open on the firewall that aren't necessary. Are you running FTP on any systems inside the firewall that need to be accessed from the outside? If so, move them to a DMZ and restrict FTP access to that/those system(s). Same with the other ports, ESPECIALLY remote admin. If the admin is no longer available, who's doing the remote admin?
and noticed not just the normal external port scan attack blocks, but also that a couple of computers, including the company server, are attempting to
access
outside IPs using closed port calls (therefore, the firewall catches and logs them).
What does "closed port calls" mean? Are you saying that some systems are trying to access outside systems using ports that are blocked *outbound* by the firewall, or by the ZA stuff you've installed?
Also did some ethereal scan of the network, and it does show that the server is trying to access this specific external ip address.
Not to pick nits, but Ethereal is not a scanner, it's a sniffer. Second, what is the external address that these systems are trying to access? My recommendation with regards to this situation is as follows: 1. Use openports.exe from DiamondCS instead of fport.exe. Make sure you read the licensing information. 2. What os are the systems in question running? 3. What is this external address that they are trying to access? 4. Do the systems in question have any mapped drives to resources outside of the infrastructure? Your previous admin *may* have done this, perhaps to ease software downloads and administration. 5. Do the systems in question need to have NetBIOS/file sharing services available? 6. To assist you in determining what's going on w/ this outbound traffic, use tools such as tlist.exe (from the Microsoft Debugging Tools, NOT the RK) to gather process information. 7. If you're going to capture network traffic with Ethereal, and you want someone to comment on it, it might be a good idea to make that capture available for folks to view. HTH, Harlan --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Out of my league... Harlan Carvey (Jan 09)