Securing your segmented Network, and interpretation of tcpdump on dual NIC segmented network

Posted on by

Howdy! So, here is a real life example of some basic networking security analysis.

Without giving too much away about the way my own home network works. I have a basic firewall-like setup segmenting my red internet routers network offering from the nic port handling my local network. This offers a level of separation or isolation, that prevents any-old-packet reaching the local network. By default I am allowing services to be routed out to internets only when it is requested first by an application running on boxes inside the local network. If any external client attempts to connect to my router on a particular port without it being SYN ACK, then it won’t be accepted.

Another good thing is it’s easy to find out what destination and source is because eth1 shows me primarily all internet bound and internet from traffic, and the eth0 adapter shows me primarily all local traffic on it’s way to be internet bound thru the firewall and then out the other NIC.

Today I saw some worrying traffic coming thru on eth1, something called teamview;

Here is what it looked like:

# tcpdump -i eth1 | grep teamview
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:07:05.641711 IP firewall.home.50490 > server19703.teamviewer.com.https: Flags [P.], seq 2473010817:2473010841, ack 788873912, win 255, length 24
16:07:05.676803 IP server19703.teamviewer.com.https > firewall.home.50490: Flags [P.], seq 1:25, ack 24, win 251, length 24
16:07:05.891233 IP firewall.home.50490 > server19703.teamviewer.com.https: Flags [.], ack 25, win 255, length 0

As we can see the firewall just ‘dialed’ out to a remote server19703, and I am like ‘wtf’ is this? So I start to panic, then I run:

]# tcpdump -i eth0 | grep teamview
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:07:05.641686 IP 192.168.0.120.50490 > server19703.teamviewer.com.https: Flags [P.], seq 2473010817:2473010841, ack 788873912, win 255, length 24
16:07:05.676846 IP server19703.teamviewer.com.https > 192.168.0.120.50490: Flags [P.], seq 1:25, ack 24, win 251, length 24
16:07:05.891204 IP 192.168.0.120.50490 > server19703.teamviewer.com.https: Flags [.], ack 25, win 255, length 0

This allows me to see, what the nature of the request was, just before the firewall started to route it out on the eth1 adapter. As such it shows me that the local network machine devices ip address on eth0, which is 192.168.0.120, or in other words, my parentals new computer, specifically the one I bought them for christmas from ebay.

What does this mean? It means I’ll be paying a visit to their box to make sure that this is disabled.