Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 6466 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need guidance to verify my firewall rules are ok? Had intruder?

JohnKenny1

Ive been using Sophos UTM for 2 years now but last few weeks ive detected an intruder on our lan, the AV isnt picking anything up but Alienvault is.

Can someone check my rules?

I have IPS & ATP setup too for just the Internal network.

Where is my hole?



This thread was automatically locked due to age.
  • 0

    The intruder has not to use the front door.

    Tell us more about the intruder ... so we may help you with more detailed hints.

    Possible your NAT rule allows access to LAN resources from internet, but i think you have restricted the group to known users ...

    You may get malware/trojan software while surfing the web (http(s)-proxy -with AV active on HTTPs too- can reduce the risk)

    You may get the malware from mail or USB-Stick. these software initiates a connection to a internet based host and the firewall can#t do nearly something. 

    You must not have a hole within the Firewall.

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    I didnt think Sophos UTM was the issue to be honest.  I have FW, NAT, WF, WAF, IPS & ATP all setup for all services.

    One quick question, If I have a subnet on the LAN which isnt the same subnet as the Internal interface on sophos is just adding the hosts network as i have right? you can see what i mean from my shots.  Its the Avaya hosts / network? or do I need to setup an additional address for it on the interface?

    Thanks

    I found lots of Local security policy changes and some suspect account modifications that were suspect.  After setting up Alienvault it found hosts i dont recognise but cant see how there running if there not on any machines?

    We have Endpoint Security and Malware applications on everything and all the VMs and machines come up clean.

    Anyway back to pulling everythng apart

  • 0 in reply to JohnKenny1

    if you wish to connect a second subnet to an UTM interface you need an additional address within this subnet.

    ... or a router within your LAN.

    if you see unknown hosts and you get an IP-address,resolve the assigned MAC address (ping the host and use ARP -a)

    now you can check at the switches where this host is connected. Also check the device-type with vendor-id https://macvendors.com/


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0

    Do you have wireless?

    Have you confirmed the intruder is not a printer/switch/AP/scanner or some other network device that maybe on someones desk?

    Regards,
    Bohdan

  • 0

    "I have IPS & ATP setup too for just the Internal network."

    Please show pics of these configs, John.

    "After setting up Alienvault it found hosts i dont recognise but cant see how there running if there not on any machines?"

    Please show an example or two.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML