None taken...I always love a good discussion as long as we all benefit form end results..
Cheers..
:)
Printable View
None taken...I always love a good discussion as long as we all benefit form end results..
Cheers..
:)
i'm buddies with the19man and he mentioned i might want to tack my spoof issue onto this thread.
i'm also running a sonicwall firewall. for the past week i have been getting ip spoof detections in my firewall log. the source ip claims to be from my lan but does not fall into any of my subnets - not even close. the mac address that is listed is from an ethernet port on my internal cisco router that provides the connection to the sonicwall firewall.
i know very little about how these things work, but does this mean that something on the inside of my firewall is causing the spoof entries? any help would be appreciated. the ip spoofs are detected roughly every 20 minutes. the source network always a 172.x.x.x address. as far as i know nothing has changed in the configuration of my network.
thanks in advance for your help!
cooderbuck,
Is this your topology (can you verify please and answer a few questions to help better understand what is happening. The firewall could be reporting whats referred to as "false positives" depending on setup of firewall) But anyway lets not assume that yet,,Take a look at the following setups and see if either matches yours:
(fig a)
||PC||------------||FW||------------||ROUTER||------------------Internet
or
(fig b)
||PC||------------||Router||------------||FW||------------------Internet
and could you answer the following questions please:
1) Are you using cable, DSL, etc..for internet access?
2) Do you mind telling us the 2nd octet( just the 1st # following the 172) of the 172 address.
curious to see if its part of a private block reserved for private use or a public address?
3) Just out of curioisity, Ive worked extensively with Cisco routers, what model is it?
4) Are there more than one PC on your network,,,If so,can you describe where abouts..
Cheers
:)
I'm currently setup like figure b with the addition of a router on the "outside" of my firewall that maintains the connection to my ISP.
I'm connected via a full T1 to our ISP through a 1720 router. The ethernet port on this router connects to the WAN port on the firewall. The LAN port on the firewall connects to an ethernet port on a 2611 router. The 2611 has two addition T1 cards that connect our branch offices. The other ethernet port on the 2611 acts as the gateway for the local network and is connected to my main switch in the corporate office.
The current source IP address of the spoof is 172.153.x.x. It changes every day or so, but every time I check it belongs to a block that AOL owns - I think...
Just so you have the full picture... The 2611 acts as the main hub for the network. It connects to my corporate office via an ethernet port. My two branch offices are tied in via the T1 cards and have 1604Rs at the other end.
The corporate office has several servers and 30 or so workstations using dhcp and a private address range with the internal ethernet of the 2611 as thier gateway. The branch offices have a server each and several workstations using dhcp and private address range with the ethernet of the 1604Rs as thier gateway.
The 2611 routes all traffic from the various internal interfaces to the firewall. The firewall is using NAT. The firewall has a public IP address on the WAN port that connects to the 1720, which has another public IP in the same subnet - no NAT.
This setup has been working well for a couple years now. The IP spoof is recent, but bothers me because it is so consistent. Hope this wasn't too much information and thanks again for your help.
cooderbuck,
I totally understand your setup...Its very clear..and straight forward..
The only thing I would like to ask is about your private addressing assignments:
You dont have to give out specifics (although it really doesnt matter, not routable)
Anyway are:
a) your internal private IP addresses part of one of the following blocks:
10.x.x.x
172.16.x.x---172.31.x.x
192.168.x.x
and
b) Is your internet traffic strictly initiated from inside or both ways for example are you hosting any web servers, DNS, SMTP/POP3 etc...)
See, I havent worked with Sonic particularily, but for the Firewall to detect spoofed addresses, It is detecting (this is my guess) one of two things:
1) Some one is actually sending spoofed packets from the Internet with src address that of RFC1918 (which are part of private address range I listed above)
or
2) You are not using private IP addresses on private internal network, and the Firewall sees the internal src IP matches the range of some of the websites your users go to (like maybe AOL's)
This is the best guess I can make unless others can shed some light on topic..
Good Luck
Cheers..
:)
My internal private addresses are all 192.168.x.x. I have a one to one nat mapping in the firewall from a public address to a specific internal address to handle email. That is, I receive smtp traffic that is sent to one of my public addresses and that gets routed to my smtp gateway via the mapping - which, right now is internal. I am also using OWA, so there is some http/https traffic that is initiated from the outside.
I can rule out 2) in your last post, so if 1) is the case, do I have anything to worry about? I don't think this is causing any other problem than filling up my logs a bit more frequently, but if there is a way for me to make it go away, I'd like to figure it out.
Thanks again for your comments!
P.S.
Idont know how critical your data or line of business is,,however, ( playing the devil's advocate) Ild like to advise you to be prepared for the worse that can happen..This means make sure you have right tool/s and not just firewall (alot of great threads tutorials are written on subject.) and skilled IT staff to support and secure the network. In my line of business you would be surprised how often companys mismanage and often neglect the importance of having and enforcing a security policy...
Anyway , also if you have lthe icense for it, you can install the Cisco Firewall feature set IOS on your 2611 thats got a basic IDS module (not full package w/ all signatures, but better than anything) to add another layer of security...Although Im sure there are alot of freebies out there that are equal to if not better....(no flames!!!)
(sorry you beat me to it,,this comment was supposed to be appended to previous response)