RE: Odd SonicWall behavior
From: Jason Harris (jharris_at_newhorizonscr.com)
Date: 10/27/05
- Previous message: Marty: "Wireless security question..."
- Maybe in reply to: Ryan James: "Odd SonicWall behavior"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Oct 2005 16:12:12 -0500 To: <security-basics@securityfocus.com>
Also, do you have an arp proxy enabled on your interfaces.
-----Original Message-----
From: Austin Murkland [mailto:amurkland@merydion.com]
Sent: Thursday, October 27, 2005 2:00 PM
To: Ryan James
Cc: security-basics@securityfocus.com
Subject: Re: Odd SonicWall behavior
I've seen this behavoir before on cable modem connections...how does
that webserver connect to the interent?
Ryan James wrote:
> I help out one of the labs at my university keep their network up and
> pcs running. They have a webserver with some sort of vaguely sensitive
> information on it, enough so that they requested money for a small
> firewall for it and some of the other computers in the lab. They got a
> SonicWall tele3 (I believe) and it was working well for a year or so,
> but around a week ago the campus's network admin contacted us and said
> that our network was broadcasting a *lot* of traffic. From my (outside
> their firewall) I did a packet dump (I can supply it if needed) and the
> only thing that was unusual was that the sonicwall was sending massive
> amounts of ARP traffic asking who has the gateway's IP. By massive I
> mean around twenty a second. Before talking to me, the lab director
> unplugged each pc one by one from the firewall, but the spamming
> continued ever after everything--including the webserver--had been
> disconnected. After I was notified, I attempted to log into the
> firewall to check its logs, but it didn't work. I scanned the firewall
> with nmap and it returned that all ports were filtered, even though
> access from within the network to the admin console had been turned on.
> I also tried connected to the 'console' port on the sonicwall but either
> I didn't know how it worked or it wasn't working properly. In addition,
> it seems that pcs within the firewalled network can dhcp an address from
> the subnet's gateway (which they couldn't before) and ettercap showed
> that you can see all the connections on the subnet from within the
> firewall. Since keeping the webserver up is the lab director's primary
> goal he doesn't want me to attempt to reflash the firmware unless it's
> absolutely necessary or if the firewall's been compromised. So I guess
> my question is: is someone tunneling a connection from our firewall to
> off-campus over ARP or has the firewall just gone a bit nutty?
>
>
>
- Previous message: Marty: "Wireless security question..."
- Maybe in reply to: Ryan James: "Odd SonicWall behavior"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
