cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.
Get the latest news in this issue of the Cisco Small Business Monthly Newsletter

344
Views
30
Helpful
9
Replies
Highlighted

RV340 Router Security Risk or Intrusion?

 

Hello,

Can anyone explain why there are remote IP addresses with established connections to my ISP IP address on the WAN port?

The IPs in the pic below in the 52 range are in Japan and connected to the IP from my ISP on my RV340 router WAN port.

This is suspicious, and I'm not confident . How to resolve this?

The GUI screen shot below is in the path:

Admin UI - Status and Statistics - TCP/IP Services - Established Connection Status

 

Router Intrusion IPs.jpg

 

I have attempted to block these IPs with a rule to deny all access on any Source, Destination and any Interface in:

Admin UI - Firewall - Access Rules - IPv4 Access Rules Table

From my tests, that function in the router seems to have no effect on network traffic. It does not block access to that remote IP.Annotation 2020-05-21 202953.jpg

 

 

Any suggestions?

Everyone's tags (2)
9 REPLIES 9
Highlighted
VIP Mentor

Re: RV340 Router Security Risk or Intrusion?

what region you are ? are you from JP region ?

 

the IP belong to Amzon AWS Cloud, is 107 IP from your ISP ?

 

As i remember this brightcloud IP the one try to connect from your network for some secure update ( need to check)

 

your rule should be :

 

if above rules already allowed 1-5 then 6 rule is redundant, so post all 6 rules to understand better.

 

to make rule collectly to capture if you like to block 52.32.234.204

 

Denied--IPv4-Traffic------WAN/LAN-----Any----WAN--52.32.234.204- Any time 

 

BB
*** Rate All Helpful Responses ***
Highlighted

Re: RV340 Router Security Risk or Intrusion?

 

Thank you very much for your reply.

 

I am in U.S. not Japan.  Yes ISP provides 107.xxx.xxx.xxx

There should be no updates from brightcloud IPs in JP region. I have no indication there should be any open connection to JP region IP addresses.

I have tried to separate the rules in the table - see rule 5 and 6 below. That has no effect that i can tell.

Denying any source or destination interface for an IP or range seems like the solution.

Would this rule be most effective at blocking access?

Denied -- IPv4: All Traffic -- Any -- 52.32.234.204 -- Any -- 52.32.234.204 -- ANYTIME

With your suggested rule, would that only block outgoing traffic to the IP 52.32.234.204 ??

 

And mainly, why would there be any open connection from a random IP to my ISP WAN address?

All traffic routes through ISP address of course, however, then the -- Status and Statistics -- TCP/IP Services - Established Connection Status -- would show all connections through NAT to the LAN. That only shows seven connections at most.

The documentation from Cisco is very lacking about the expected behavior of many functions in the Admin UX.

 

Access Rules screenshot below:

Router access rules.jpg

 

Thanks again for any suggestion.

Highlighted
VIP Mentor

Re: RV340 Router Security Risk or Intrusion?

With your suggested rule, would that only block outgoing traffic to the IP 52.32.234.204 ??

 

BB - you can add as many rules, if you see any suspcious like this.

 

I also like to see any LAN Side device compromised and sending traffic also, another way to Look.

 

I have seen the documentaion - Webfilter uses the brightcloud.

 

for now it is going to contact port 80 and 443, we can not guess what is this related, as per the IP concern, it related to brighcloud. do you have any webfilter enabled.

 

 

I do see some firesight other firepower product use below URL :

 

database.brightcloud.com
service.brightcloud.com

 

below guide for reference :

 

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-technote-firesight-00.html 

BB
*** Rate All Helpful Responses ***
Highlighted

Re: RV340 Router Security Risk or Intrusion?

 

Hi,

Thanks again.

 

I have no evidence of compromised LAN side devices.

I do not use webfilter function.

I have no access to firesight product.

There should be no connection to JP region IPs

There should be no connections on the ISP IP.

 

I do fault very poor documentation.

What is the expected behavior of the router for that function - Status and Statistics - TCP/IP Services - Established Connection Status - ??

 

What is the expected behavior for the access control rules?

Your suggestion may be valid, but how much experimentation must I do?

How do I validate that anyway?

Why the H is the router admin not documented?

All the documentation does is repeat what is already in the Admin UI.

Highlighted
VIP Mentor

Re: RV340 Router Security Risk or Intrusion?

So Many Quesion i can not answer. Bur few i can.

 

1. The Device com with advanced security Features WebFilter  - so it required conmstant database update from the clod to protect your network (latest name called Zero Trust - and many other names)- this means you have upto date DB from Cisco.

 

2. I have given firesight example, to understand why brightcloud involved to know  - you do not need to spend much time on that.

 

3. Today trends are different, the more devices expose to internet have high risk, So your FW need to monitor and tune as per the requirement,

 

Hope this make sense ?

 

BB
*** Rate All Helpful Responses ***
Highlighted

Re: RV340 Router Security Risk or Intrusion?

All of that makes no sense. Sorry. Again, there should be no open connection between JP region IPs and my ISP IP on the WAN port.
Highlighted
VIP Mentor

Re: RV340 Router Security Risk or Intrusion?

I have provided the information based on the input you have given and provided in the post screenshot, this is pure your environment and controlled by your network admin (or you).  

 

This is information based on the destination IP you were investigating the suspecting.52.32.234.204

 

This may be wrong on other side your point of view, i would suggest here to contact Cisco TAC and confirm by providing that IP address,

 

BB
*** Rate All Helpful Responses ***
Highlighted

Re: RV340 Router Security Risk or Intrusion?

You still don't understand the issue. There are several foreign IP addresses connected directly to the WAN IP. Packet traces show absolutely no LAN side connection to those foreign IPs. Sorry, you have provided no meaningful or helpful information.

Highlighted
VIP Mentor

Re: RV340 Router Security Risk or Intrusion?

"You still don't understand the issue"  - As per the orginal post you were onlyconcerned about the IP you provided.

 

Now you have mentioned in the last post "There are several foreign IP addresses connected directly to the WAN IP"

 

This not make any sense for me, since you have not provide enough evidence that what IP address those are.

 

I am sure some this not right here for sure, you may have attacks on WAN IP, but no evidence.

 

I will Hold my fire to assits here, since i do not have visibility, wait for further input from you or some other can assits who can understand your issue better.

 

BB
*** Rate All Helpful Responses ***