unusual incoming activity on my DMZ

Discussion in 'Computer Security' started by sydemon, Nov 8, 2004.

  1. sydemon

    sydemon Guest

    I have a network setup with a private LAN side and a DMZ (which hosts our
    email and web servers) behind a Sonicwall XPRS2 firewall. The firewall is
    sending syslogs to my computer. I use Webtrends Firewall Suite 3.1d to
    anaylze the logs and look for trends/issues surrounding our network traffic.
    In notice that under the "Incoming Web Activity by Server" table that
    several non-local IP addresses appear. What I mean by that is I see public
    IP addresses, besides the one's in the DMZ's subnet, as producing "incoming
    web activity" in my report. How could this be? What would make them show
    up as "Incoming"? I dont think I've been hacked but I'm a bit confused as
    to how they are showing up in my reports. Any help, tips, or advise would
    be much appreciated.

    PS: all servers have antivirus installed and dont have any viruses, when i
    do a scan on them.

    Thanks
    sydemon
     
    sydemon, Nov 8, 2004
    #1
    1. Advertising

  2. sydemon

    Guest Guest

    a DMZ is NO protection at all! anything on the IP address of the DMZ is not
    protected by any firewalls...it bypasses the firewall all together. It is
    intended for gaming, not for servers.
     
    Guest, Nov 9, 2004
    #2
    1. Advertising

  3. On Tue, 09 Nov 2004 02:48:29 GMT, <©¿©> spoketh

    >a DMZ is NO protection at all! anything on the IP address of the DMZ is not
    >protected by any firewalls...it bypasses the firewall all together. It is
    >intended for gaming, not for servers.
    >


    Absolutely not. DMZ is simply a designation for a network that is behind
    a firewall but not on your LAN. In the case of the sonicwalls, the DMZ
    has the same protection as the LAN. It is a safer place to host servers
    because if something in the DMZ is compromised, the LAN is still
    protected.

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
     
    Lars M. Hansen, Nov 9, 2004
    #3
  4. On Mon, 8 Nov 2004 13:26:14 -0800, sydemon spoketh

    >I have a network setup with a private LAN side and a DMZ (which hosts our
    >email and web servers) behind a Sonicwall XPRS2 firewall. The firewall is
    >sending syslogs to my computer. I use Webtrends Firewall Suite 3.1d to
    >anaylze the logs and look for trends/issues surrounding our network traffic.
    >In notice that under the "Incoming Web Activity by Server" table that
    >several non-local IP addresses appear. What I mean by that is I see public
    >IP addresses, besides the one's in the DMZ's subnet, as producing "incoming
    >web activity" in my report. How could this be? What would make them show
    >up as "Incoming"? I dont think I've been hacked but I'm a bit confused as
    >to how they are showing up in my reports. Any help, tips, or advise would
    >be much appreciated.
    >
    >PS: all servers have antivirus installed and dont have any viruses, when i
    >do a scan on them.
    >
    >Thanks
    >sydemon
    >
    >


    Well, it could be an error in the reporting. Have you checked the actual
    logs to see what it says about traffic to/from the public IP addresses
    in question?

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
     
    Lars M. Hansen, Nov 9, 2004
    #4
  5. sydemon

    Guest Guest

    I think that the Linksys router/firewall works the way I have described...is
    this an exception to the rule of firewalls? ie...do most firewalls work the
    way you say?
     
    Guest, Nov 9, 2004
    #5
  6. "<©¿©>" <user@127.0.0.1> wrote:

    > I think that the Linksys router/firewall works the way I have
    > described...is this an exception to the rule of firewalls? ie...do
    > most firewalls work the way you say?


    In the professional world they do. A DMZ is where you place proxy-
    servers, webservers etc. - stuff that has to be accessible from both
    sides, but that shouldn't have full access to either side.

    That way, if a server in the DMZ gets hacked, it cannot be used to
    stage an attack against your LAN.

    Juergen Nieveler
    --
    ASCII stupid question... get a stupid ANSI
     
    Juergen Nieveler, Nov 9, 2004
    #6
  7. sydemon

    Martin Guest

    <©¿©> wrote:
    > a DMZ is NO protection at all! anything on the IP address of the DMZ is not
    > protected by any firewalls...it bypasses the firewall all together. It is
    > intended for gaming, not for servers.


    That's rot!

    The DMZ is intended for servers, that is its whole purpose in life. You
    put the servers on a DMZ and all traffic to/from it is mediated by the
    firewall. This is to prevent internet traffic from being required to
    enter the protected network.

    So, on the DMZ would go your mail server (or better mail relay), web
    servers, web proxys, collaboration chat servers, DNS servers, anything
    exposed to the internet.

    The firewall will then arbitrate what traffic is allowed to and from
    each computer on the DMZ. So if port 80 is requested on 192.168.1.54 and
    that is an email server the traffic will be dropped. If it happened to
    be a web server the packet will be opened, inspected, verified for
    safety, then passed onto the server.

    So the DMZ does not bypass the firewall, the DMZ is controlled by the
    firewall, and all traffic to/from the internet should route through the DMZ.
    >
    >
    >
     
    Martin, Nov 9, 2004
    #7
  8. sydemon

    Guest Guest

    thanx...I learned something!
     
    Guest, Nov 9, 2004
    #8
  9. sydemon

    Leythos Guest

    In article <1eWjd.137555$>, user@127.0.0.1
    says...
    > a DMZ is NO protection at all! anything on the IP address of the DMZ is not
    > protected by any firewalls...it bypasses the firewall all together. It is
    > intended for gaming, not for servers.


    Wrong, the DMZ is as protected as the LAN in a Firewall. In a home user
    ROUTER with NAT, the port they call a DMZ is open to anything that hits
    the router from the public side.

    Remember, the things you use in your home are not firewalls in most
    cases, but a Firewall will protect the DMZ just like the LAN based on
    the rules you create for it.

    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Nov 9, 2004
    #9
  10. sydemon

    Leythos Guest

    In article <jEWjd.137757$>, user@127.0.0.1
    says...
    > I think that the Linksys router/firewall works the way I have described...is
    > this an exception to the rule of firewalls? ie...do most firewalls work the
    > way you say?


    Yes, ALL Firewalls work the way that Lars and I have stated - meaning
    that All firewalls protect the LAN and DMZ alike.

    What you are describing is a home (SOHO) user router that provides NAT
    for protection and that the marketing dipsh&ts decided to start calling
    a Firewall.

    With the home user devices, Routers with NAT, the IP (and some have a
    physical port) they call DMZ is a pass-through IP/Port - anything that
    is not setup as a port-forward is sent to the IP/Port they call a DMZ.

    With a real firewall, the DMZ PORT (and it's usually a physical port on
    the Firewall) is just as protectable, by firewall rules, as the LAN
    port. Nothing makes it to the DMZ or LAN without the user creating a
    rule for it.

    This is a classic case of why they should not be calling the Routers/NAT
    devices firewalls.

    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Nov 9, 2004
    #10
  11. sydemon

    Leythos Guest

    In article <cmq4ak$mdr$>,
    says...
    > <©¿©> wrote:
    > > a DMZ is NO protection at all! anything on the IP address of the DMZ is not
    > > protected by any firewalls...it bypasses the firewall all together. It is
    > > intended for gaming, not for servers.

    >
    > That's rot!


    He was speaking from the point of the home user that only has experience
    with a Router that uses NAT for protection. He's never experienced a
    Firewall and was duped by the marketing hype of the NAT box vendors.

    With the NAT box vendors, they allow users to assign an IP to what they
    call a DMZ machine, all traffic that is not specifically port forwarded
    to another machine is sent to the DMZ IP.

    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Nov 9, 2004
    #11
  12. sydemon

    Guest Guest

    OK...thanx...I learned something.
     
    Guest, Nov 9, 2004
    #12
  13. On Tue, 09 Nov 2004 03:16:31 GMT, <©¿©> spoketh

    >I think that the Linksys router/firewall works the way I have described...is
    >this an exception to the rule of firewalls? ie...do most firewalls work the
    >way you say?
    >


    Broadband routers have been re-inventing terms and redefined how they
    work. The DMZ on the cheap NAT router does indeed work by allowing all
    traffic to pass through to the IP address defined as the DMZ host.
    However, this is a totally wrong usage of the term "DMZ". The DMZ is
    supposed to be a zone between firewalls, sort of like this:

    internet
    |
    |
    firewall
    |
    |-- DMZ
    |
    firewall
    |
    LAN

    Another solution would be:

    internet
    |
    |
    screening router
    |
    |-- DMZ
    |
    firewall
    |
    LAN

    Here, there's just a simple packet filter router between the internet
    and the DMZ, giving it just the simplest of protection.

    The more modern implementation would be using a firewall with multiple
    interfaces, giving you something like this:

    internet
    |
    |
    firewall --- DMZ
    |
    |
    LAN

    In this case, there's only one firewall controlling access between three
    interfaces. The access rules in such instances should include both IP
    addresses and interfaces, so that IP spoofing would not become an issue.

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
     
    Lars M. Hansen, Nov 9, 2004
    #13
  14. sydemon

    sydemon Guest

    When you say check the actual logs, do you mean open the sys log's up in
    notepad or something similar. If so I can't do that b/c the are too big,
    90mb, to open in any program i've tried. can you recommend another?

    sydemon

    "Lars M. Hansen" <> wrote in message
    news:...
    > On Mon, 8 Nov 2004 13:26:14 -0800, sydemon spoketh
    >
    >>I have a network setup with a private LAN side and a DMZ (which hosts our
    >>email and web servers) behind a Sonicwall XPRS2 firewall. The firewall is
    >>sending syslogs to my computer. I use Webtrends Firewall Suite 3.1d to
    >>anaylze the logs and look for trends/issues surrounding our network
    >>traffic.
    >>In notice that under the "Incoming Web Activity by Server" table that
    >>several non-local IP addresses appear. What I mean by that is I see
    >>public
    >>IP addresses, besides the one's in the DMZ's subnet, as producing
    >>"incoming
    >>web activity" in my report. How could this be? What would make them show
    >>up as "Incoming"? I dont think I've been hacked but I'm a bit confused as
    >>to how they are showing up in my reports. Any help, tips, or advise would
    >>be much appreciated.
    >>
    >>PS: all servers have antivirus installed and dont have any viruses, when i
    >>do a scan on them.
    >>
    >>Thanks
    >>sydemon
    >>
    >>

    >
    > Well, it could be an error in the reporting. Have you checked the actual
    > logs to see what it says about traffic to/from the public IP addresses
    > in question?
    >
    > Lars M. Hansen
    > www.hansenonline.net
    > Remove "bad" from my e-mail address to contact me.
    > "If you try to fail, and succeed, which have you done?"
     
    sydemon, Nov 9, 2004
    #14
  15. On Tue, 9 Nov 2004 15:46:03 -0800, sydemon spoketh

    >
    >When you say check the actual logs, do you mean open the sys log's up in
    >notepad or something similar. If so I can't do that b/c the are too big,
    >90mb, to open in any program i've tried. can you recommend another?
    >
    > sydemon
    >


    Since your reports already gives you some idea what to look for (ip
    address or a host name you can translate to an IP address), you can use
    grep (or find, depending on your OS) on the text file where the log is,
    and extract all the pertinent information into another file, which you
    can then take a good look at.


    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
     
    Lars M. Hansen, Nov 10, 2004
    #15
  16. sydemon

    Guest Guest

    No thanks...I always go to http://grc.com and test there. Steve Gipson is a
    known hacker...if he says your computer is safe, I tend to listen.
     
    Guest, Nov 10, 2004
    #16
  17. sydemon

    donnie Guest

    Ping Lars was Re: unusual incoming activity on my DMZ

    On Tue, 09 Nov 2004 19:47:34 -0500, Lars M. Hansen
    <> wrote:

    >Lars M. Hansen
    >http://www.hansenonline.net
    >(replace 'badnews' with 'news' in e-mail address)

    ###########################
    Lars, didn't you write a book called Hacking Exposed?
    donnie.
     
    donnie, Nov 10, 2004
    #17
  18. sydemon

    GreySoul Guest

    On Wed, 10 Nov 2004 01:49:01 GMT, "<©¿©>" <user@127.0.0.1> wrote:

    >No thanks...I always go to http://grc.com and test there. Steve Gipson is a
    >known hacker...if he says your computer is safe, I tend to listen.
    >
    >



    Steve Gibson is merely a hack and a spreader of FUD.
     
    GreySoul, Nov 10, 2004
    #18
  19. Re: Ping Lars was Re: unusual incoming activity on my DMZ

    On Wed, 10 Nov 2004 02:53:08 GMT, donnie spoketh

    >On Tue, 09 Nov 2004 19:47:34 -0500, Lars M. Hansen
    ><> wrote:
    >
    >>Lars M. Hansen
    >>http://www.hansenonline.net
    >>(replace 'badnews' with 'news' in e-mail address)

    >###########################
    >Lars, didn't you write a book called Hacking Exposed?
    >donnie.


    Nope, you must be confusing me with someone else...

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
     
    Lars M. Hansen, Nov 10, 2004
    #19
  20. On Wed, 10 Nov 2004 01:25:45 GMT, SECURTYman spoketh
    >
    >TO ALL INTERNET USERS -- YOU ARE AT RISK !!!
    >


    Great. Your website is a link to other peoples' tools. How
    "entrepreneurial" of you...

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
     
    Lars M. Hansen, Nov 10, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnC
    Replies:
    9
    Views:
    918
    Walter Roberson
    Dec 7, 2004
  2. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,967
    Walter Roberson
    Sep 25, 2005
  3. Michael Bower
    Replies:
    3
    Views:
    4,759
    beenthere
    Oct 1, 2006
  4. morten
    Replies:
    4
    Views:
    1,323
    Tilman Schmidt
    Sep 4, 2007
  5. Jack
    Replies:
    0
    Views:
    739
Loading...

Share This Page