This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Concern about mysterious port 8472 traffic.

Hi all,

I make a habit of wondering through the UTM reports looking for trouble.
I came upon something that has me seriously alarmed.
Under LOGGING & REPORTING \ Network Usage I query on "Top Services"
The first two are HTTP and HTTPS of course.
#3 is the focus.  It says 8472.
This page explains https://tcp-udp-ports.com/port-8472.htm this is the port that VMWare uses for High Availability and Fault Tolerance between VSphere virtual machines.  Those of us who regularly get general security news know that VMWare has it's kimono wide open to the world of hackers.  It's not clear to me if there is any way to secure a VMWare environment. 

I myself, pulled out all my VMWare infrastructure about a decade ago as I was thinking the company was not keeping up with the rise in security risks.

Since I don't have any of my own VMWare infrastructure, I was wondering if some other product I have is using it.
The only think I can think of is the Sophos UTM itself.
If this product is based on VMWare technology, I'm going to loose it.  Quite literally.  I'll replace the UTM the next day.

Backing up a bit: Can anyone help explains what this report means given I have no "known" VMWare technology in house?
Clicking around the reports a bit more, I found that all this traffic was coming from/to the UTM IP address.
So it seems the UTM is built on VMWare technology, this is probably a legacy decisioni from the original manufacturer, Astaros.  Astaros Security Linux was the product if memory serves me. With this in mind, I'm just wondering if there's someone out there with the technical chops to assess the security risks of this product.

Much thanks, in advance.

Warmest Regards.

Doug



This thread was automatically locked due to age.
Parents
  • One outstanding issue is the question:  Has the Sophos UTM been built on vulnerable VMWare technology.  I suppose it is possible.

  • No, UTM was built on top of Suse Linux with a mixture of opensource and closed source products and a nicely managed interface. 

    That is a lot of data, you may want to trace what devices within your network are generating this.  Just because Sophos APs use this, doesn't mean they are the only ones.

    ... though depending on how large your wifi network is, I guess the APs could generate this amount of logging and traffic type info to central in a month if you have those features enabled.  Maybe someone else can pipe in here.  I've never paid much attention to how much extra traffic the reporting and traffic info they used and what ports they went out on.

  • As I showed in the screenshots above, the reporting engine within the UTM shows zero endpoints for this traffic. I'm not terribly concerned about the amount of traffic.  I have a Samsung TV that streams Netflix, YouTube TV, and Max via wifi (thus the access point).
    Here is a report of the total traffic going to the tv since I wiped the UTM logs.

Reply
  • As I showed in the screenshots above, the reporting engine within the UTM shows zero endpoints for this traffic. I'm not terribly concerned about the amount of traffic.  I have a Samsung TV that streams Netflix, YouTube TV, and Max via wifi (thus the access point).
    Here is a report of the total traffic going to the tv since I wiped the UTM logs.

Children
No Data