NetFort Advertising

MSP Managing Your Network? Make Sure You Have Independent Visibility

MSP did not identify hole in firewall

Using MSP services? Make sure you have independent monitoring in place

A third party such as a managed services provider (MSP) is most often an information technology (IT) services provider that manages and assumes responsibility for providing a defined set of services to its clients either proactively or as the MSP (not the client) determines that services are needed. The main drivers for the adoption of MSPs is the desire to improve operations and cut expenses.

Even years ago before the term MSP was popular, many organizations used external contractors and services to install and configure critical security equipment like firewalls.  Firewalls configurations and rules can be very complex, how do you check them? Make sure they are correct? One option is to look at the traffic and activity inside the firewall.

Recently I worked on an interesting problem with a client who was using a MSP to manage their firewall. They were happy with this arrangement as the MSP did not report any problems and they had nothing independent to highlight any issues.

Case study: Unreported hole in firewall

One thing this client needed outside of the MSP services was a tool to monitor network traffic . They needed a high level view of bandwidth use at their network edge and they contacted us. A trial of our LANGuardian product was deployed, the ability to monitor web traffic and capture associated metadata is one of its many features.

When we started to look at the data captured we noticed something very strange with inbound traffic patterns. We define inbound traffic as a connection were the source IP address is outside the network perimeter (outside the firewall). Over 98% of traffic was associated with LDAP traffic over UDP 389 to one of their domain controllers. Traffic over UDP 389 is typically connection-less LDAP (CLDAP), a variant of LDAP that uses the User Datagram Protocol (UDP) for transport.

Our LANGuardian product has an application recognition engine and so it reported the activity correctly as LDAP. If you are using a tool which uses port numbers (port 80, etc…) to report on activity you may miss things like LDAP.

Drilling down on this traffic we could see connections from China, Russia and many other countries. Our determination was that the domain controller was been used as part of an amplification based DDoS botnet. Infosec attackers are now abusing exposed LDAP servers to amplify DDoS attacks.

We immediately put in a change request to the MSP to block UDP port 389 on the firewall. As you can see from the image below the inbound traffic dropped significantly once the firewall change was implemented.

Connectionless LDAP (CLDAP), a variant of LDAP that uses the User Datagram Protocol (UDP) for transport

The big lesson here was the need to have something in place to provide visibility of what was happening on the network. The hole in their firewall was an old NAT rule that was long since outdated. However, their MSP did not pick up on this activity. It needed an independent monitoring tool which could show what was happening on their network.

Finding out what is going in and out of your network with LANGuardian.

LANGuardian comes with a selection of reports which can be customized to filter on certain activity. For this use case we selected the Applications in Use report and we used a specific source and destination IP address filter. You can also use the Report Variables feature to define what subnets are in use inside your network. Follow these steps to get these custom reports setup on your LANGuardian.

1. Create report variables to define what subnets exist on your LAN. If you use private address ranges then you can use the exact same setup as the image below. The only difference between the External and Internal variable is the use of the ! character. This character denotes NOT so any subnet outside of this is not on your LAN.

2. Click on All Reports and select the Applications in Use report. Click the drop down next to Source IP / Subnet on the left and select the External report variable. Click the drop down next to Destination IP / Subnet on the left and select the Internal report variable.

Click on Run Report. You should get an output like the one shown below. In my case I will need to drill down on that SMB activity as I would not expect to see file sharing traffic where the client (source) is outside my network.

3. You can then save this as a custom report by clicking on Actions \ Save As or create a line graph by selecting the Trend Report option.

4. Finally, repeat the steps to show what applications clients are using on the Internet by selecting Internal as a source and External as the destination within the Applications in Use report.