Endpoint Protection

 View Only

  • 1.  advice on what is causing these errors?

    Posted Mar 11, 2009 12:35 PM

    SEP logs are reporting a number of errors or blockages over the last 2 days. It started just suddenly one evening, and AFAIK, no one was here to do anything at that time -

    The two servers involved are in each case, a dev SQL server, and a sharepoint server. It happens between these two, and another SP server connected to the development SQL server.  (also note that once again, the SEP logs don't resolve host names for the IP address just like in the other firewall logs, but that's another item!)

    Anyway, why are we seeing this thing in the last couple of days. Go back to last week and ANYthing prior, you don't see this but VERY rarely. Now it's regular.

    This is one example:

     

    Event Type: UDP datagram
    Event Time: 03/11/2009 08:52:55
    Domain Name: IVRS-SEP1
    Site Name: IVRS-SEP01
    Server Name: VRDSMSEP1
    Group Name: My Company\Servers
    Computer Name  
    Current: vrdxxsql2
    When event occurred: vrdxxsql2
     
    IP Address  
    Current: 111.222.990.48
    When event occurred: 111.222.990.48
     
    Severity: Minor
    Remote Host Name:  
    Remote Host IP: 123.223.190.49
    Network Protocol: UDP
    Local Port: 1434
    Remote Port: 3544
    Traffic Direction: Inbound
    Occurrence: 1
    Begin Time: 03/11/2009 08:52:44
    End Time: 03/11/2009 08:52:44
    Application Name: C:/Program Files/Microsoft SQL Server/90/Shared/sqlbrowser.exe
    Blocked: Blocked
    Rule Name: Block IPv6 over IPv4 (Teredo)
    Alert: 0
    Location Name: Default
    User Name: SQLSVC
    Domain Name: IVRS-SEP1

     

    Here is another:

     

    Event Type: UDP datagram
    Event Time: 03/11/2009 11:21:07
    Domain Name: IVRS-SEP1
    Site Name: IVRS-SEP01
    Server Name: VRDSMSEP1
    Group Name: My Company\Servers
    Computer Name  
    Current: vrdevbql2
    When event occurred: vrdevbql2
     
    IP Address  
    Current: 165.222.199.xx
    When event occurred: 165.222.199.xx
     
    Severity: Minor
    Remote Host Name:  
    Remote Host IP: 165.222.199.zz
    Network Protocol: UDP
    Local Port: 1434
    Remote Port: 3544
    Traffic Direction: Inbound
    Occurrence: 1
    Begin Time: 03/11/2009 11:20:01
    End Time: 03/11/2009 11:20:01
    Application Name:  
    Blocked: Blocked
    Rule Name: Block IPv6 over IPv4 (Teredo)
    Alert: 0
    Location Name: Default
    User Name:  
    Domain Name: IVRS-SEP1

     

    This is the addressing involved: (SPS is sharepoint, SQL is SQL)

    Name:    vrasdfsps3.dvrs.gov.state.ia.us
    Address:  111.222.190.49

    Name:    vrsdfs2.dvrs.gov.state.ia.us
    Address:  111.222.197.42

    Name:    vrdevghql2.dvrs.gov.state.ia.us
    Address:  111.222.197.48
     



  • 2.  RE: advice on what is causing these errors?

    Posted Mar 11, 2009 12:49 PM

    Shadows,

    Your router(s) and or you NIC(s) inside of your machine have IPv6 enabled?

    There is a large amount of information about how vulnerable IPv6 is and how it currently lacks security.  Due to this, by default, most Firewalls block IPv6 traffic.  I remember a few days ago, you were configuring FW rules. 

    The blocked protocol is UDP (so most likely router or switch broadcasts looking for IPv6 capable hosts).

    The blocking rule is encapsulated IPv6 packets broadcast over IPv4 layers. 

    * * * * * * *

    Verify your NIC(s) and turn off IPv6 -> Properties and Remove the check box for IPv6 or simply uninstall IPv6 protocols... 

     



  • 3.  RE: advice on what is causing these errors?

    Posted Mar 12, 2009 08:24 AM

    I just checked the NICs, no IPv6 on any of them.

    In fact, as far as I can tell, we don't have IP 6 on any server or desktop, nothing.

    One computer in the field that VPNs into us is CONSTANTLY sending these messages in the log. Now for the last serveral hours, a VISTA computer used by a network admin here has been filling the logs with 'em. He's gone, not using the computer, and no IP6 on it either...........

    Errors, or real?

     

    Thanks.



  • 4.  RE: advice on what is causing these errors?

    Posted Mar 12, 2009 09:46 AM

    "One computer in the field that VPNs into us is CONSTANTLY sending these messages in the log." 

    What do you mean by this? 

    The computer X has an ip address of 10.10.10.150 (DHCP from VPN connection) for example and connecting through a Router/VPN appliance at 10.10.10.165 and routes to your internal network.  From there, he accesses your file server at 10.10.10.250 and you see in your logs, 

    - Traffic being blocked from 10.10.10.150 (computer X) to 10.10.10.250 (file server).

    If this is the case, than one of a few possible things, first the VPN'ing machine has IPv6 broadcast (not likely).

    Second, the network that he is connecting (his ISP) is using IPv6 in their back end network to route over the "cloud"

    Third, your router/firewall/VPN appliance has IPv6 passthrough enabled.

    Fourth, your ISP is using some IPv6 for their backend and you have not been informed (not likely either).

    Just a few possible probabilities. 

    Most likely culprit is your router/firewall/VPN appliance, in my opinion.

    Symantec?  Paul?  Anyone have any insight on this?



  • 5.  RE: advice on what is causing these errors?

    Posted Mar 12, 2009 09:59 AM

    For that particular user, I see a lot of these - or ones very similar. Perhaps several dozen to nearly 100 a day. Recently started seeing it on an internal VISTA machine, too.  Note the remote host IP.........

    Now in THIS case, the fellow works at an office we have at a college. He rides the college network to get to the Internet and uses VPN software to get back here.

    PERHAPS in this case, it's the college??

    Event Type: Ethernet packet
    Event Time: 03/12/2009 08:47:02
    Domain Name: IVRS-SEP1
    Site Name: IVRS-SEP01
    Server Name: VRDSMSEP1
    Group Name: My Company\Client Computers\Desktop\VPN-clients
    Computer Name  
    Current: VR560260HS2H570
    When event occurred: VR560260HS2H570
     
    IP Address  
    Current: 10.252.160.22
    When event occurred: 0.0.0.0
     
    Severity: Minor
    Remote Host Name:  
    Remote Host IP: 0.0.0.0
    Network Protocol: Other
    Local Port: 34525
    Remote Port: 0
    Traffic Direction: Inbound
    Occurrence: 1
    Begin Time: 03/12/2009 08:46:51
    End Time: 03/12/2009 08:46:51
    Application Name:  
    Blocked: Blocked
    Rule Name: Block IPv6
    Alert: 0
    Location Name: Default
    User Name: John.Hughes
    Domain Name: IVRS-SEP1



  • 6.  RE: advice on what is causing these errors?

    Posted Mar 12, 2009 10:24 AM

    Do you have any staff on site at the remote office, that can tell you what model the router/firewall is on the other end, or better that can get into it and tell you if IPv6 is enabled by default on the device?

    When the Vista machine connects to your network, can you verify with or without the user if IPv6 is enabled on his machine?

    "By now, you have probably heard that Windows Vista features a dual stack, which allows it to run IPv4 and IPv6 simultaneously. Although Vista isn't the first Windows operating system to support IPv6 (I think Windows 2000 may have been the first), it is the first Windows OS to have IPv6 enabled by default."

    Extract from: http://searchenterprisewan.techtarget.com/tip/0,289483,sid200_gci1348329,00.html

     



  • 7.  RE: advice on what is causing these errors?

    Posted Mar 12, 2009 10:40 AM

    We only have 3 VISTA computers in our agency, they are all used by IT staff.

    I found IPv6 on mine, unchecked it. Will look into doing that on the others, and check all servers as well, just in case.

    Because of many other things I see coming from that machine that sits at our college office, I'm thinking of asking them to take a look at their firewall. There are days I get nearly 200 messages about addresses being blocked for 600 seconds because of this or that - more than any other computer, actually more than all 300 combined!