Solved

Sonicwall tz100 (hacked?): default rule any any allow

Posted on 2014-02-10
6
707 Views
Last Modified: 2014-02-11
Hi,

I have a device on my network that was compromised. Couldn t logon to it, no ssh nothing.
Now, I try to limit accesses on my sonicwall.

I see a rule from any to any allow. That is not a default rule right? This would mean also my sonicwall user and pass are known.

Please advise.
J.
0
Comment
Question by:janhoedt
  • 4
  • 2
6 Comments
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39848529
Hi janhoedt,

It depends, by default Zones are set to Deny. Which Zones are they for?

The attacker would only know which users of the machine compromised and even then only if they have setup a sniffer or keylogger - just because they have been compro9mised doesn't necessarily point to any particular threat but rather that vulnerabilities have been exploited. Therefore, unless you are using SSO or have aligned the user's credentials with the ones in the SonicWALL. Even then someone would have to know not only their way around a SonicWALL but know that a user account has been setup there as well. Furthermore, unless they have admin access it they will not be able to change any settings within the SonicWALL but they will have access to whatever that user has access to inside the network. Change user credentials on the SonicWALL immediately for that user.

Let me know if you have any other questions!
0
 

Author Comment

by:janhoedt
ID: 39849482
Thanks.

The access rule is the following (system made access rule, I've set it on deny now):

 46      LAN      >      WAN      11      Any      Any      Any      Allow All      None                    Enabled        Edit this entry A service depends on this rule
0
 
LVL 25

Accepted Solution

by:
Diverse IT earned 500 total points
ID: 39849710
Awe, OK in this case LAN > WAN is completely normal to have it as Allow Any Any All. Unless you are filtering outbound traffic for PCI or some other compliance/security reason, the default for LAN > WAN is Allow and should be otherwise nothing will go outbound (no email, can't browse web, etc.).

Make sense?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:janhoedt
ID: 39849894
I'd like to explicitely allow or disallow so have put it on dissalow.
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39849906
Then you need to have the LAN > WAN Deny rule as the last rule in priority. Then explicitly allow each service above it in priority.

Any other questions?
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39849956
Glad I could help...thanks for the points!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question