RE: Odd SonicWall behavior

From: Jason Harris (jharris_at_newhorizonscr.com)
Date: 10/27/05

  • Next message: Steven Meyer: "secure backups"
    Date: Thu, 27 Oct 2005 16:12:12 -0500
    To: <security-basics@securityfocus.com>
    
    

    Also, do you have an arp proxy enabled on your interfaces.

    -----Original Message-----
    From: Austin Murkland [mailto:amurkland@merydion.com]
    Sent: Thursday, October 27, 2005 2:00 PM
    To: Ryan James
    Cc: security-basics@securityfocus.com
    Subject: Re: Odd SonicWall behavior

    I've seen this behavoir before on cable modem connections...how does
    that webserver connect to the interent?

    Ryan James wrote:
    > I help out one of the labs at my university keep their network up and
    > pcs running. They have a webserver with some sort of vaguely sensitive
    > information on it, enough so that they requested money for a small
    > firewall for it and some of the other computers in the lab. They got a
    > SonicWall tele3 (I believe) and it was working well for a year or so,
    > but around a week ago the campus's network admin contacted us and said
    > that our network was broadcasting a *lot* of traffic. From my (outside
    > their firewall) I did a packet dump (I can supply it if needed) and the
    > only thing that was unusual was that the sonicwall was sending massive
    > amounts of ARP traffic asking who has the gateway's IP. By massive I
    > mean around twenty a second. Before talking to me, the lab director
    > unplugged each pc one by one from the firewall, but the spamming
    > continued ever after everything--including the webserver--had been
    > disconnected. After I was notified, I attempted to log into the
    > firewall to check its logs, but it didn't work. I scanned the firewall
    > with nmap and it returned that all ports were filtered, even though
    > access from within the network to the admin console had been turned on.
    > I also tried connected to the 'console' port on the sonicwall but either
    > I didn't know how it worked or it wasn't working properly. In addition,
    > it seems that pcs within the firewalled network can dhcp an address from
    > the subnet's gateway (which they couldn't before) and ettercap showed
    > that you can see all the connections on the subnet from within the
    > firewall. Since keeping the webserver up is the lab director's primary
    > goal he doesn't want me to attempt to reflash the firmware unless it's
    > absolutely necessary or if the firewall's been compromised. So I guess
    > my question is: is someone tunneling a connection from our firewall to
    > off-campus over ARP or has the firewall just gone a bit nutty?
    >
    >
    >


  • Next message: Steven Meyer: "secure backups"