I hope you don't think I'm being a pest! I promise, this will be the last question.
>What you are seeing is the result of basic TCP/IP. This is the same for any network device. The first set of IPs are the result of device announcing themselves as routers.
What you say is that The first set and the last set of IPs are the result of device announcing themselves as routers?
I understand that The first set of IPs are default route , and the last set of IPs are broadcast address. These addresses are basic TCP/IP.
But I think, For Example,"85.78.75.78","101.116.104.48","225.96.13.0" are not basic TCP/IP.
My question is that
・In your Environment,these ip addresses can see?
・What FirmWareVersion are you using now? I'm using F/W 5.2.1.
Please call me Takeshi. Thank you for putting up with my frequent Posts. I almost feel like we are becoming pen pals! By now, I guess you get used to my funny English writing.
Now, I understood that your suggestion is " You should use a network monitoring tool like wireshark or iptraf, and check that not exist illegal traffic on SAN subnet",and "Completely Isolate SAN subnet from servers and other network devices"
I think the essential idea.
Thank you so much for answering all my questions!
Thank you for your kind cooperation, and I look forward to talk with you again!
Dev Mgr
4 Operator
•
9.3K Posts
1
April 1st, 2012 21:00
Are you scanning with snmpwalk in your iSCSI network/vlan?
Your iSCSI network should be isolated from your regular network, which should make it secure enough to not really need to scan it I would think.
TakeshiDoi48
6 Posts
0
April 1st, 2012 04:00
Thank you very much for your prompt reply.
Sorry,I understand that there is 5 IP address in PS6000.(Group IP ×1、physical port IP ×4)
However, I can confirm about 20 IP addresses other than these 5IP addresses when I confirm PS6000 in "snmpwalk".
In addition, IP address of this 20, it changes every time you check "snmpwalk".
I feel that this is a problem.
Because,If contains the IP address that is truly harmful, we can not distinguish between harmless IP address.
TakeshiDoi48
6 Posts
0
April 1st, 2012 23:00
thanks! Dev Mgr
Our iSCSI network is isolated from our regular network, which should make it secure enough to not really need to scan it .
TakeshiDoi48
6 Posts
0
April 1st, 2012 23:00
Dear dwilliam62
Thank you for always being so kind!
Field that I see is the following.
・ipRouteDest
RFC1213-MIB::ipRouteDest.0.0.0.0 = IpAddress: 0.0.0.0
RFC1213-MIB::ipRouteDest.0.9.138.1 = IpAddress: 0.9.138.1
RFC1213-MIB::ipRouteDest.5.0.1.0 = IpAddress: 5.0.1.0
RFC1213-MIB::ipRouteDest.85.78.75.78 = IpAddress: 85.78.75.78
RFC1213-MIB::ipRouteDest.101.116.104.48 = IpAddress: 101.116.104.48
RFC1213-MIB::ipRouteDest.172.20.37.13 = IpAddress: 172.20.37.13
RFC1213-MIB::ipRouteDest.180.107.1.0 = IpAddress: 180.107.1.0
RFC1213-MIB::ipRouteDest.225.96.13.0 = IpAddress: 225.96.13.0
RFC1213-MIB::ipRouteDest.255.255.255.255 = IpAddress: 255.255.255.255
For Example,"85.78.75.78","101.116.104.48","225.96.13.0",We have not set IP addresses.
In your Environment,these ip addresses can see?
What FirmWareVersion are you using now? I'm using F/W 5.2.1.
I have been doubting the possibility of a bug in the firmware...
For these IP address, I checked Dell's Japan branch office,received the answer that
「Storage has set up these IP address , Since there is no harm, we want you to ignore.」
But when we leave this problem,we cannot distinguish malicious ip address and harmless ip address.
Do you have the idea to distinguish malicious ip address and harmless ip address?
The way,tcpConnState is the following.
RFC1213-MIB::tcpConnState.172.20.37.12.3260.172.20.37.30.49356 = INTEGER: established(5)
RFC1213-MIB::tcpConnState.172.20.37.12.3260.172.20.37.30.49651 = INTEGER: established(5)
RFC1213-MIB::tcpConnState.172.20.37.12.3260.172.20.37.30.56068 = INTEGER: established(5)
RFC1213-MIB::tcpConnState.172.20.37.12.3260.172.20.37.30.60730 = INTEGER: established(5)
RFC1213-MIB::tcpConnState.172.20.37.12.3260.172.20.37.82.49154 = INTEGER: established(5)
RFC1213-MIB::tcpConnState.172.20.37.12.3260.172.20.37.84.49154 = INTEGER: established(5)
RFC1213-MIB::tcpConnState.172.20.37.13.3260.172.20.37.52.50262 = INTEGER: established(5)
RFC1213-MIB::tcpConnState.172.20.37.13.65106.172.20.37.52.3260 = INTEGER: established(5)
We appreciate your prompt attention to this matter.
TakeshiDoi48
6 Posts
0
April 2nd, 2012 21:00
Dear dwilliam62
I hope you don't think I'm being a pest! I promise, this will be the last question.
>What you are seeing is the result of basic TCP/IP. This is the same for any network device. The first set of IPs are the result of device announcing themselves as routers.
What you say is that The first set and the last set of IPs are the result of device announcing themselves as routers?
I understand that The first set of IPs are default route , and the last set of IPs are broadcast address. These addresses are basic TCP/IP.
But I think, For Example,"85.78.75.78","101.116.104.48","225.96.13.0" are not basic TCP/IP.
My question is that
・In your Environment,these ip addresses can see?
・What FirmWareVersion are you using now? I'm using F/W 5.2.1.
I really appreciate all your help.
TakeshiDoi48
6 Posts
0
April 3rd, 2012 08:00
Dear Don
Please call me Takeshi. Thank you for putting up with my frequent Posts. I almost feel like we are becoming pen pals! By now, I guess you get used to my funny English writing.
Now, I understood that your suggestion is " You should use a network monitoring tool like wireshark or iptraf, and check that not exist illegal traffic on SAN subnet",and "Completely Isolate SAN subnet from servers and other network devices"
I think the essential idea.
Thank you so much for answering all my questions!
Thank you for your kind cooperation, and I look forward to talk with you again!