Sonicwall - Need to block outbound access

We had a security issue with our vendor and had to terminate services/access immediately. I'm an IT project manager and not a network guy so I understand the basics, but I just coming up to speed on the "detailed" configurations.

They use a combination of VNC and Kaseya to maintain a connection to their remote central server since we have all inbound traffic blocked. It looks like port 5721 and 5722 are carrying the traffic.

How can I block the destination ip address, Kaseya, and VNC? Assuming that is the best way to isolate our system from their access.

THANK YOU!!!  
jjeffcoatAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

thompsonwirelessCommented:
Not knowing which Sonicwall or firmware you're using it's difficult to give you detailed instruction.  If you can use the Wizard (if that's an option) you want to deny access from that particular IP address to any LAN/WAN interface.  It's a basic rule for the most part.  Once you look around to see how access is allowed, you can see that denying access is a similar process.

This link may help you.
http://help.mysonicwall.com/sw/eng/701/ui2/13100/Firewall/Add_Rule.htm
0
Cas KristCommented:
Depends on the firmware you are using, SonicOS Enhanced or SonicOS Standard. You can find that on System - Status page.
It is possible to block outbound traffic from Lan Primary subnet using the Kaseya service (port 5721).
When running SonicOS enhanced you can create a deny rule (LAN to WAN). First you have to create a service in 'Firewall - Service', with the name Kaseya, port 5721 TCP. The you can create the deny rule. See picture, only replace the SMTP-service  with the newly created Kaseya service.
deny-rule.png
0
Cas KristCommented:
When you block the outbound Kaseya traffic, you should be fine. Probably they use VNC in combination with Kaseya (Kaseya can run VNC for remote support, and VNC uses the Kaseya port). You can also remove the Kaseya client from your PC's and servers.
(we also use Kaseya for supporting our customers, the client can be removed if you wish)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

jjeffcoatAuthor Commented:
That is exactly what they are doing. So, I'm heading out this morning to uninstall the VNC clients as well. Thanks for the detailed screenshot. I'm an IT project manager/process improvement manager normally, but recently changed jobs and was forced (kicking and screaming) into supporting our small network. I should have paid more attention to my technical gurus when I had them!!!
0
Cas KristCommented:
Be sure to remove all the Kaseya clients, because your former service provider only needs one active client to install them on all your machines again. Best is to block the outgoing traffic 5721.
I don't think it is necessary to uninstall VNC, because it cannot be accessed when the Kaseya client is gone. On the other hand, there is no need for it.
Good luck!
0
jjeffcoatAuthor Commented:
Thanks for the followup. I removed the clients on our office workstations and disable the services on our shop floor pc's to avoid a chance of taking down one of our production lines. It's ashame that I had to take such strong actions against the consulting group, but the more I asked the less information they provided. No network diagrams, company specific configuration sheets, group policy changes....etc... I came from a 40 billion dollar company so I thought maybe I was expecting too much. They fumbled around when I asked them to export the group policies for my review... anyway... I have to go setup backups for my Hyper-v and SBS 2008 configuration....ANOTHER MESS!

Thanks one more time for the follow-up and advice!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.