Forefront Edge Security TechCenter >
Forefront Edge Security Forums
>
Forefront Edge Security Virtual Private Networks
>
Random IP requesting and making successful connections ... should only have host and private vpn IP's requesting connections.
Random IP requesting and making successful connections ... should only have host and private vpn IP's requesting connections.
ISA Server 2006
Users connect through VPN and get assigned a 10.10.10.x IP address.
Looking through the logs, under "C_IP" (IP of requesting client) I see some IP addresses of the host (for updates and such, makes sense) and some private IP addresses of clients connecting through the VPN (10.10.10.x) but then I also see some random IP addresses. WHAT ARE THESE??
A whois does not give me much information at all... It shows they are are using HTTP to access websites... and they are being provided the service by my host IP address.
No one else should be connecting other than the host connections and the vpn users with the private IPs, so where are these coming from????
THANKS.
Answers
- You didn't include the log entries of interest, so it's impossible for anyone to say what they may be?
The fact is; there are lots of folks out there scanning the Intertubes looking for vulnerable hosts.
If you've deployed your ISA and create the policies using best practices, you should have nothing to fear.
A properly-configured ISA has never been exploited.
Have a read in http://technet.microsoft.com/en-us/library/cc302539.aspx for a start...
Yes; I know it's fro ISA 2004, but the rules engine is essentially the same for ISA 2006 in this regard.
Jim Harrison Forefront Edge CS- Marked As Answer byNick Gu - MSFTMSFT, ModeratorFriday, August 21, 2009 9:29 AM
- Proposed As Answer byJim Harrison IsaDewd Friday, August 14, 2009 6:39 PM
- When any firewall faces the Internet, it is subject to receipt of all manner of connections and attacks.
Since the IPs are apparently random, it's likely that this what you're seeing in the logs.
Unless the logs indicate that these connections or requests are allowed, they're generally just background noise. If you're interested in performing some forensics, they can be reviewed for patterns in the IP addresses, ports or request data.
Since you can't share the logs, no one can offer specific advice about the connections or requests.
Jim Harrison Forefront Edge CS- Marked As Answer byNick Gu - MSFTMSFT, ModeratorFriday, August 21, 2009 9:29 AM
- Proposed As Answer byJim Harrison IsaDewd Friday, August 14, 2009 6:37 PM
All Replies
- You didn't include the log entries of interest, so it's impossible for anyone to say what they may be?
The fact is; there are lots of folks out there scanning the Intertubes looking for vulnerable hosts.
If you've deployed your ISA and create the policies using best practices, you should have nothing to fear.
A properly-configured ISA has never been exploited.
Have a read in http://technet.microsoft.com/en-us/library/cc302539.aspx for a start...
Yes; I know it's fro ISA 2004, but the rules engine is essentially the same for ISA 2006 in this regard.
Jim Harrison Forefront Edge CS- Marked As Answer byNick Gu - MSFTMSFT, ModeratorFriday, August 21, 2009 9:29 AM
- Proposed As Answer byJim Harrison IsaDewd Friday, August 14, 2009 6:39 PM
- The log entries are from the WEB logs. I can not include the logs due to the nature of the server. I was just wondering if there was some other known connections that these might obviously be.
Even placing security aside, I really would just like to know where these connections could be coming from. I am trying to analyze these logs and find out who is connecting. Like I said, I don't see a reason for any other connections listed besides the ones from the host itself (for updates and such) and from private IP vpn connections of clients. I was wondering if anyone knew of any other connections that could be a possible culprit for these random IP addresses making connections through the server. - When any firewall faces the Internet, it is subject to receipt of all manner of connections and attacks.
Since the IPs are apparently random, it's likely that this what you're seeing in the logs.
Unless the logs indicate that these connections or requests are allowed, they're generally just background noise. If you're interested in performing some forensics, they can be reviewed for patterns in the IP addresses, ports or request data.
Since you can't share the logs, no one can offer specific advice about the connections or requests.
Jim Harrison Forefront Edge CS- Marked As Answer byNick Gu - MSFTMSFT, ModeratorFriday, August 21, 2009 9:29 AM
- Proposed As Answer byJim Harrison IsaDewd Friday, August 14, 2009 6:37 PM
