• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Odd Traffic

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Odd Traffic Page: [1]
Login
Message << Older Topic   Newer Topic >>
Odd Traffic - 18.Oct.2003 9:06:00 PM   
beanz

 

Posts: 148
Joined: 30.Jul.2001
Status: offline
Hey all,

I'm having a problem creating a trust relationship between two NT domains so I decided to take a look in the firewall/IP logs (the domains are joined across ISA based VPN)

In the IP log I found there were a dozen or so entries every second for traffic to and from the external IP of each ISA server on port 45 and port 47.

Does anyone know what these ports are used for or what the traffic could be?

Cheers,
Danny
Post #: 1
RE: Odd Traffic - 19.Oct.2003 3:10:00 PM   
beanz

 

Posts: 148
Joined: 30.Jul.2001
Status: offline
think I posted this in the wrong forum, sorry! Is there any way to move it??

Danny

(in reply to beanz)
Post #: 2
RE: Odd Traffic - 19.Oct.2003 8:44:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Danny,

check out http://www.networksorcery.com/enp/protocol/ip/ports00000.htm .

HTH,
Stefaan

(in reply to beanz)
Post #: 3
RE: Odd Traffic - 19.Oct.2003 9:13:00 PM   
beanz

 

Posts: 148
Joined: 30.Jul.2001
Status: offline
Thanks for the link.

What are the NI FTP(port 47) and Internet Message Protocol (port 45) for? Is it right that traffic is generated a dozen or so times a second all day every day??

Danny

(in reply to beanz)
Post #: 4
RE: Odd Traffic - 19.Oct.2003 10:05:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Danny,

I don't know this two protocols but are you sure you have seen TCP/UDP port numbers and not IP protocol numbers?

Please post an excerpt of the IP log. Just make sure you have enabled the logging of all fields and you have set the log format to ISA format.

HTH,
Stefaan

(in reply to beanz)
Post #: 5
RE: Odd Traffic - 19.Oct.2003 11:11:00 PM   
beanz

 

Posts: 148
Joined: 30.Jul.2001
Status: offline
Thanks for taking the time to look in to this for me!

I'll be able to post a "cutting" of the log when I get in work tomorrow.

Danny

(in reply to beanz)
Post #: 6
RE: Odd Traffic - 20.Oct.2003 9:53:00 AM   
beanz

 

Posts: 148
Joined: 30.Jul.2001
Status: offline
Below is a couple of lines from the IP Logs. As mentioned earlier, these lines appear a dozen or so times a second all day every day.

2003-10-20 00:00:00 xxx.xxx.xxx.1 xxx.xxx.xxx.2 47 - - - ALLOWED xxx.xxx.xxx.1 45 00 00 20 6f d9 00 00 80 2f 00 00 d9 9e 70 82 d9 9e 04 8e 20 81 88 0b 00 00 c3 e7 00 00 ce 8b
2003-10-20 00:00:00 xxx.xxx.xxx.2 xxx.xxx.xxx.1 47 - - - ALLOWED xxx.xxx.xxx.2 45 00 00 68 1c 5b 00 00 79 2f d2 8a d9 9e 2e c2 d9 9e 70 82 30 01 88 0b 00 48 02 00 00 00 38 96 fd f8 70 ec 9d 0e 35 0a

The xxx.xxx.xxx.xxx denotes the external IPs on each ISA.

Cheers,
Danny

(in reply to beanz)
Post #: 7
RE: Odd Traffic - 20.Oct.2003 7:55:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Danny,

aha... just what I thought! [Big Grin]

The number '47' is listed under the Protocol field. IP protocol 47 is the GRE protocol used in a PPTP VPN connection.

Where did you see the number '45'? If you mean '45 00 00 20 6f ....' in the log then it is listed under the Header field and contains the IP Header of the packet.

HTH,
Stefaan

(in reply to beanz)
Post #: 8
RE: Odd Traffic - 21.Oct.2003 11:06:00 AM   
beanz

 

Posts: 148
Joined: 30.Jul.2001
Status: offline
So it's nothing to worry about then!??

What does the GRE protocole do?

Danny

(in reply to beanz)
Post #: 9
RE: Odd Traffic - 21.Oct.2003 4:23:00 PM   
beanz

 

Posts: 148
Joined: 30.Jul.2001
Status: offline
Also,

A little off topic but do the Blaster/Sobig blocking scripts block any internal traffic accross the VPN.

I'd like to run them and get the filters/rules/protocols etc setup but am a little worried about the implications.

Danny

(in reply to beanz)
Post #: 10
RE: Odd Traffic - 21.Oct.2003 9:52:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Danny,

the PPTP VPN protocol uses TCP port 1723 for the control connection and IP protocol 47 (GRE) for the tunnel. Because you seems to run a gateway-to-gateway VPN scenario, that traffic must be considered normal! [Cool]

Traffic inside the VPN tunnel is NEVER inspected by ISA server because that traffic is considered trusted. However, if you don't trust that traffic you should not allow that VPN tunnel in the first place! [Big Grin]

HTH,
Stefaan

(in reply to beanz)
Post #: 11
RE: Odd Traffic - 22.Oct.2003 12:33:00 AM   
beanz

 

Posts: 148
Joined: 30.Jul.2001
Status: offline
Hey Stefaan,

Thanks for the info. Think I need to do some reading up on protocols etc!

RE the blaster/sobig scripts, while the traffic passing through/across the VPN tunnel is trusted is it worth running the scripts to prevent inbound traffic or does ISA block this by default?

Danny

(in reply to beanz)
Post #: 12
RE: Odd Traffic - 22.Oct.2003 9:38:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Danny,

do you mean the scripts available on isatools.org? If that's the case, two of them create just a deny protocol rule so the virus won't propagate to the external world. The other two is for scanning internal hosts.

If you have a good policy, that means only allow that what is stricktly necessary, they will not enhance your policy. Of course if you have an open protocol rule (all IP traffic) then they will block the protocols used in the propagation of the virusses.

HTH,
Stefaan

(in reply to beanz)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Odd Traffic Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts