[Intrusions] ISA Server external inbound firewall sessions

James C Slora Jr Jim.Slora at phra.com
Tue Mar 28 16:46:29 GMT 2006

Yes, it looks like something to investigate further.

If you allow FTP from the inside, you can get legitimate firewall
connections back from external FTP hosts depending on your active vs passive
policy. Since you are publishing servers, there could be situations where
there might be other legitimate incoming connections through the firewall
service as well. Misconfigurations can easily let unwanted traffic in.
Publishing and other configuration issues differ between ISA Server 2000 and
2004. It all comes down to the details of your policies and the details of
the suspect traffic.

Your ISA logs should show what those external addresses are connecting to.
See if there is any traffic to those addresses from your users. Give packet
capture another shot if there is still any doubt about the legitimacy of the

-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Mueller, Eric
Sent: Monday, March 27, 2006 1:03 AM
To: intrusions at lists.sans.org
Subject: [Intrusions] ISA Server external inbound firewall sessions

I have noticed two public addresses occasionally connecting to the firewall
service externally from the internet. All internet addresses should be
passing through the proxy service, because all of our external resources are
using web publishing rules. Has anyone seen this? Is this something I should
worry about? I have tried running a packet trace but was unsuccessful in
capturing any traffic from these specific source addresses, as I was not
putting to much time into this. I wanted to make sure I was not wasting my
time observing something legit. It just did not make any sense to me.


Thanks ahead of time!


Eric Mueller - GHTQ, GCWN, MCSE

Operating Systems Engineer II

AtlantiCare Information Technology

6725 Delilah Road, EHT

New Jersey, 08234

Confidentiality Notice: This e-mail message, including any attachments, from
AtlantiCare contains information which is CONFIDENTIAL AND/OR LEGALLY
PRIVILEGED. The information is intended only for the use of the individual
named above and may not be disseminated to any other party without
AtlantiCare's written permission. If you are not the intended recipient, or
the employee or agent responsible for delivering the message to the intended
recipient, you are hereby notified that any dissemination, disclosure,
distribution, copying or taking of any action in reliance on the contents of
this e-mailed information is strictly prohibited. 
If you have received this e-mail in error, please notify us immediately by
telephone at 609 - 569 - 7070 or notify us by e-mail at
Isecurity at Atlanticare.org to arrange for the return of these documents to us
without cost to you.

Intrusions mailing list
Intrusions at lists.sans.org

More information about the Intrusions mailing list