RE: Odd SonicWall behavior

["Pablo Hauser" <pablohauser () yahoo com ar>]

Sorry because I will not answer your question (cause I don't know what could
be happening). Just wanted to say that SonicWall always works in mysterious
ways... I had one in front of a web server; when you telnet that server, it
aswered correctly... And here's the oddity: when the server was disconnected
from the FW, it *assumed* that the server was there the same, and the
SonicWall answered the telnet... WTF!!!

Nothing else to say, but SonicWall Sucks.
 
__________________________________________________

Pablo D. Hauser | pH

www.securearg.net
Secure from the source


-----Mensaje original-----
De: Ryan James [mailto:rjames () csulb edu] 
Enviado el: Miércoles, 26 de Octubre de 2005 21:59
Para: security-basics () securityfocus com
Asunto: Odd SonicWall behavior

I help out one of the labs at my university keep their network up and pcs
running.  They have a webserver with some sort of vaguely sensitive
information on it, enough so that they requested money for a small firewall
for it and some of the other computers in the lab.  They got a SonicWall
tele3 (I believe) and it was working well for a year or so, but around a
week ago the campus's network admin contacted us and said that our network
was broadcasting a *lot* of traffic.  From my (outside their firewall) I did
a packet dump (I can supply it if needed) and the only thing that was
unusual was that the sonicwall was sending massive amounts of ARP traffic
asking who has the gateway's IP.  By massive I mean around twenty a second.
Before talking to me, the lab director unplugged each pc one by one from the
firewall, but the spamming continued ever after everything--including the
webserver--had been disconnected.  After I was notified, I attempted to log
into the firewall to check its logs, but it didn't work.  I scanned the
firewall with nmap and it returned that all ports were filtered, even though
access from within the network to the admin console had been turned on.
I also tried connected to the 'console' port on the sonicwall but either I
didn't know how it worked or it wasn't working properly.  In addition, it
seems that pcs within the firewalled network can dhcp an address from the
subnet's gateway (which they couldn't before) and ettercap showed that you
can see all the connections on the subnet from within the firewall.  Since
keeping the webserver up is the lab director's primary goal he doesn't want
me to attempt to reflash the firmware unless it's absolutely necessary or if
the firewall's been compromised.  So I guess my question is:  is someone
tunneling a connection from our firewall to off-campus over ARP or has the
firewall just gone a bit nutty?






___________________________________________________________
1GB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
http://correo.yahoo.com.ar