Re: SonicWalls take down networks?

[Robert Graham <robert_david_graham () yahoo com>]

Ah.

So one problem is the fact that the network is very "flat". My thinking is from
the abstract view that you are 20 hops away from the firewall, so how could it
affect the way the network worked? In reality, networks are "flattening" out
more and more with switched hubs, and of course SonicWall is also built for
smaller offices which also tend to be flat.

The next problem is the feature 'enable router proxy arp'. Proxie ARPs have
been known to cause major havoc with systems in the past. They are a nifty
"kludge" get around things certain networking problems, but they quickly get
out of hand sometimes. As you see, they quickly create HUGE ARP tables, or in
your case, has a HUGE affect on the network by ARPing everyone's address.

Of course, proxy ARPs are not specific to SonicWall, though of course as I
mentioned in my original message it may not be a good thing that the product
defaults led to a pathological configuration. 

Rob.


--- Bill Stout <bill.stout () aristasoft com> wrote:
> Found the problem.
>
> There's an undocumented administration page \\sonicwall\diag.htm which has
> checkboxes for 'enable arp bridging' and 'enable router proxy arp'.
> Apparently when combined with NAT mode, will cause the sonicwall to 'own'
> all internal IP addresses when an external system attempts to access those
> addresses - In this instance a nasty D.O.S. against all internal servers and
> desktops on the subnet.
>
> Turning these checkboxes off solved the problem.
>
> This particular configuration has two sonicwalls, one connected to a Citrix
> server (for trunked extranet VPNs), and the other connected to the office
> network (for administrative VPN to remote co-located systems).  Both connect
> WAN ports to a hub which connects to a Cisco router.
>
> This particular configuration worked fine for months, that is, until a
> Citrix server connected to both internal and 'firewalled' networks could not
> see the internal servers (rebooting at the time after UPS failure) through
> it's internal LAN.  It then attempted to connect through the external LAN
> (since the Cisco 'knew' the route to the private 10.x.x.x network), which
> apparently triggered NAT on the sonicwall to glom onto addresses on the
> internal subnet as it's own.
>
> SonicWall tech support tells me this may be complicated by two factors; one,
> that the sonicwall has 10 user licenses and may prevent access attempt 11
> and above by grabbing those later IP addresses, two, that there is a
> possible problem when sonicwalls are initially configured on a 10.x.x.x
> subnet and reconfigured for another, since they've seen this happen once
> before.
>
> Bill Stout
>
> P.S. - Have not receving list messages since 9/14, reply directly please.
>
> ----- Original Message -----
> From: Robert Graham <robert_david_graham () yahoo com>
> To: Bill Stout <Bill.Stout () AristaSoft com>; <firewall-wizards () nfr net>
> Sent: Monday, September 20, 1999 1:43 AM
> Subject: Re: SonicWalls take down networks?
>
>
> > --- Bill Stout <Bill.Stout () AristaSoft com> wrote:
> > > Has anyone run into the problem where SonicWalls
> > > take down the entire
> > > network with IP address conflicts?
> >
> > How can any device take down an "entire IP network"? All the ways I can
> > think
> > of that happening are due to user error in configuring the device, which
> > can
> > apply to any device (true, some make devices encourage more user errors
> > than
> > others). For example, you could:
> > * assign a duplicate address, which causes problems on another router or
> > server
> > * assign a duplicate subnet, which causes routing tables to be hosed for
> > awhile
> >
> >
> > From the evidence given, it doesn't yet look like a problem unique to
> > SonicWall.
> >
> > ===
> > Robert Graham
> > "Anxiously awaiting the millenium so I can start programming
> > dates with 2-digits again."
> > __________________________________________________
> > Do You Yahoo!?
> > Bid and sell for free at http://auctions.yahoo.com

===
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com