[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Firewall Log

Posted on 2010-01-04
18
Medium Priority
?
329 Views
Last Modified: 2012-05-08
I just installed a new Cisco RV042 Firewall and it has been working great.  However, today I looked at the security logs and I found a lot more in there that I thought there would be.  Can you tell me if there is anything that is dangerous?  Also, I noticed a lot on port 137 & 138, which I have read is NetBIOS.  Should I be blocking these port internally or should I just go around to all my desktops and servers and turn off NETBIOS?  This log is only from the last few minutes.  Thanks.
Log.txt
0
Comment
Question by:rlindbeck
  • 8
  • 6
  • 4
18 Comments
 
LVL 27

Expert Comment

by:davorin
ID: 26172969
What you have there are NetBios broadcasts to 192.168.200.255 (whole LAN) - If you have network of Ms computers you need that for file sharing, printing, etc.
Most important is that these ports are blocked from/to internet.
0
 

Author Comment

by:rlindbeck
ID: 26172987
So should I allow ports 137 and 138 on the LAN?
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26172991
It is normal to block any of the netbios related ports form going to the outside.
That is basically what the log is showing.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:rlindbeck
ID: 26173017
So I should allow the LAN to send send port 137 & 138 at all LAN addresses?  Or should I just open all ports ont he LAN to the LAN?  Thanks.

Ryan
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26173018
It is also dropping multicasts that are for local use which is also normal.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26173050
Yes, in a windows networking environment Microsoft uses it heavily so you will a lot of it on your internal LANs.
0
 

Author Comment

by:rlindbeck
ID: 26173052
So what the firewall is blocking is normal and I shoudl make no changes?
0
 

Author Comment

by:rlindbeck
ID: 26173082
OK, so is it common practice to have no blocking on the LAN to the LAN?  I should just open all ports within the LAN to the LAN but not the internet?
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26173102
Inside is normally pretty much wide open unless you have a specific reason to block something.
0
 
LVL 27

Expert Comment

by:davorin
ID: 26173329
Yes, you do not need to do anything if you are having only one LAN. Broadcast is sent to all clients in LAN - also to your router. If you chose to denie, drop or allow that packets on your router is for your clients mostly the same.
0
 
LVL 27

Expert Comment

by:davorin
ID: 26173340
How many different subnets do you have?
0
 

Author Comment

by:rlindbeck
ID: 26174939
None.  We only have one.  There is one public wifi router.
0
 

Author Comment

by:rlindbeck
ID: 26174996
Dosen't it look like the router is blocking internal traffic?
0
 
LVL 27

Expert Comment

by:davorin
ID: 26175547
No, it does not. For internal trafic it does not matter if the router is there or not.
This is because the router routes only between different networks (eg. internet and LAN).
192.168.200.255 is the network broadcast address - it acctually means that the packet is sent to all network adresses - from192.168.200.1 to 192.168.200.254 (if the subnet mask is 255.255.255.0). One of them is also the routers address. That is why it is loged in routers log.
Traffic between clients in the same network is direct - client to client.
0
 

Author Comment

by:rlindbeck
ID: 26175597
OK, so from my log would you say everything looks ok?  Thanks.

Ryan
0
 
LVL 27

Expert Comment

by:davorin
ID: 26176146
Yes, it looks so.
Just for curiosity - this trafic is on external port of your router?
UDP 76.79.9.204:137->76.79.9.207:137
0
 

Author Comment

by:rlindbeck
ID: 26176404
76.79.9.204 is an ip address for our webserver which is not even plugged into this router and the 76.79.9.207 is unknown to me.  What do you think is happening there?  Thanks.
0
 
LVL 27

Accepted Solution

by:
davorin earned 2000 total points
ID: 26178277
Everything is fine. It is external IP address. I supose you have range of fixed IP addresses from 200 to 207 from run runner ISP. Web server mabe is not directly connected to router, but it is indirectly over some switch or something for sure. If you do not use some firewall to block ports to your web server (recommended), It would be nice to block them at least at web server firewall. leave open only ports you really need to be published (80, 443,...).
Which ports are open to internet you can test with shieldsup: http://www.grc.com/intro.htm
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month20 days, 8 hours left to enroll

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question