Firewall intrusion

[bztips]

We're using latest Wingate 5.2.2, and we have ENS enabled, all the standard firewall settings, etc. I just noticed that an outsider has been able to get thru our Wingate firewall, and we now have someone name Al listed on our internal network with a valid 192.168.0.x address. So I've blackholed that address. Any ideas on what to check for to try to ensure this doesn't happen again? Thx.

/Bill

[neil]

Is there anything in the firewall log to suggest how this may have happened? By Al i take it you mean a machine named that? Do you have any special settings for your firewall or is it just set to plain Medium? You should maybe check your network for trojans?

A good tool to use to monitor networks and analyse patterns of traffic and network behaviour, is NetPatrol which available from here:

http://www.wingate.com/product-netpatrol.php

Regards

Neil

[genie]

You can also try www.grc.com, their feature ShieldsUP! runs a serious of tests against your gateway (Wingate machine) to identify open ports and potential dangers.

[genie]

As Neil rightly pointed out, NetPatrol allows you to follow your network traffic patterns and identify potential breakins or service disruption attempts.

[adrien]

How are you connected to your ISP? Is your network interface that is connected to the Internet marked as external and untrusted in the interface settings under Options:Advanced:Network Interfaces?

Also, where do you see this machine name - in GateKeeper's network tab, or in Network Neighbourhood in one of your LAN machines?

Adrien

[bztips]

Thanks adrien, genie and neil for your informative replies.

I did do a test via grc.com, and found a block of ports that were mistakenly open; hopefully, closing them will prevent further problems.

Re adrien's questions:
--Our network interface is set up properly as untrusted.
--The machine names show up in Gatekeeper's network tab, NOT in Network Neighborhood.

/Bill