[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1144
  • Last Modified:

Sonicwall - Need to block outbound access

We had a security issue with our vendor and had to terminate services/access immediately. I'm an IT project manager and not a network guy so I understand the basics, but I just coming up to speed on the "detailed" configurations.

They use a combination of VNC and Kaseya to maintain a connection to their remote central server since we have all inbound traffic blocked. It looks like port 5721 and 5722 are carrying the traffic.

How can I block the destination ip address, Kaseya, and VNC? Assuming that is the best way to isolate our system from their access.

THANK YOU!!!  
0
jjeffcoat
Asked:
jjeffcoat
  • 3
  • 2
2 Solutions
 
thompsonwirelessCommented:
Not knowing which Sonicwall or firmware you're using it's difficult to give you detailed instruction.  If you can use the Wizard (if that's an option) you want to deny access from that particular IP address to any LAN/WAN interface.  It's a basic rule for the most part.  Once you look around to see how access is allowed, you can see that denying access is a similar process.

This link may help you.
http://help.mysonicwall.com/sw/eng/701/ui2/13100/Firewall/Add_Rule.htm
0
 
Cas KristCommented:
Depends on the firmware you are using, SonicOS Enhanced or SonicOS Standard. You can find that on System - Status page.
It is possible to block outbound traffic from Lan Primary subnet using the Kaseya service (port 5721).
When running SonicOS enhanced you can create a deny rule (LAN to WAN). First you have to create a service in 'Firewall - Service', with the name Kaseya, port 5721 TCP. The you can create the deny rule. See picture, only replace the SMTP-service  with the newly created Kaseya service.
deny-rule.png
0
 
Cas KristCommented:
When you block the outbound Kaseya traffic, you should be fine. Probably they use VNC in combination with Kaseya (Kaseya can run VNC for remote support, and VNC uses the Kaseya port). You can also remove the Kaseya client from your PC's and servers.
(we also use Kaseya for supporting our customers, the client can be removed if you wish)
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
jjeffcoatAuthor Commented:
That is exactly what they are doing. So, I'm heading out this morning to uninstall the VNC clients as well. Thanks for the detailed screenshot. I'm an IT project manager/process improvement manager normally, but recently changed jobs and was forced (kicking and screaming) into supporting our small network. I should have paid more attention to my technical gurus when I had them!!!
0
 
Cas KristCommented:
Be sure to remove all the Kaseya clients, because your former service provider only needs one active client to install them on all your machines again. Best is to block the outgoing traffic 5721.
I don't think it is necessary to uninstall VNC, because it cannot be accessed when the Kaseya client is gone. On the other hand, there is no need for it.
Good luck!
0
 
jjeffcoatAuthor Commented:
Thanks for the followup. I removed the clients on our office workstations and disable the services on our shop floor pc's to avoid a chance of taking down one of our production lines. It's ashame that I had to take such strong actions against the consulting group, but the more I asked the less information they provided. No network diagrams, company specific configuration sheets, group policy changes....etc... I came from a 40 billion dollar company so I thought maybe I was expecting too much. They fumbled around when I asked them to export the group policies for my review... anyway... I have to go setup backups for my Hyper-v and SBS 2008 configuration....ANOTHER MESS!

Thanks one more time for the follow-up and advice!
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now