Out of my league...

[Harlan Carvey <keydet89 () yahoo com>]

Jeff,

> He'd set up the network with a Symantec VPN/Firewall

> appliance as the external gateway,  but had opened
up 
> ports to a server inside the network which is
currently
> hosting the email server (Xmail), DNS, as well as a 
> simple web app to do web-mail checking for employees

> from the outside.  Also opened ports for ssl, 
> termserver, ftp, smtp, and pop3, and another port
for
> remote admin.

First piece of advice...disable the ports that are
open on the firewall that aren't necessary.  Are you
running FTP on any systems inside the firewall that
need to be accessed from the outside?  If so, move
them to a DMZ and restrict FTP access to that/those
system(s).  Same with the other ports, ESPECIALLY
remote admin.  If the admin is no longer available,
who's doing the remote admin?

> and noticed not just the normal external port scan 
> attack blocks, but also that a couple of computers, 
> including the company server, are attempting to
access
> outside IPs using closed port calls (therefore, the
> firewall catches and logs them).

What does "closed port calls" mean?  Are you saying
that some systems are trying to access outside systems
using ports that are blocked *outbound* by the
firewall, or by the ZA stuff you've installed?

> Also did some ethereal scan of the network, and it 
> does show that the server is trying to access this 
> specific external ip address.

Not to pick nits, but Ethereal is not a scanner, it's
a sniffer.  

Second, what is the external address that these
systems are trying to access?  

My recommendation with regards to this situation is as
follows:

1.  Use openports.exe from DiamondCS instead of
fport.exe.  Make sure you read the licensing
information.

2.  What os are the systems in question running?

3.  What is this external address that they are trying
to access?  

4.  Do the systems in question have any mapped drives
to resources outside of the infrastructure?  Your
previous admin *may* have done this, perhaps to ease
software downloads and administration. 

5.  Do the systems in question need to have
NetBIOS/file sharing services available?   

6.  To assist you in determining what's going on w/
this outbound traffic, use tools such as tlist.exe
(from the Microsoft Debugging Tools, NOT the RK) to
gather process information.  

7.  If you're going to capture network traffic with
Ethereal, and you want someone to comment on it, it
might be a good idea to make that capture available
for folks to view.

HTH,

Harlan

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------