The mGuard appears to be a 266 MHz CPU running some version of Linux. I like the idea of an independent, hardware-based device implementing access control. The mGuard could be used to both filter unwanted inbound or outbound traffic in a completely transparent manner. Alternatively, you can configure the mGuard to log traffic but pass everything.
I would like to thank Innominate for mailing me a demo mGuard card all the way from Germany. I find the self-contained Innominate mGuard professional to be fairly novel as well. You simply insert this device between your workstation, laptop, or server, and it provides the same filtering found in the PCI version. This is a great hardware-based access control solution for anyone on a hostile network. ISPs could consider shipping these to their customers!
While I was perusing the mGuard's logs, I found an odd connection:
uptime 0 days 01:01:38.37870 klogd: fw-out-ACCEPT IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0
SRC=192.168.2.77 DST=220.127.116.11 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=1304 DF PROTO=TCP
SPT=56925 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0
This is an FTP control channel connection to 18.104.22.168 (tgftp.nws.noaa.gov). I could not account for this activity, but I did have full content logging data enabled on my NSM sensor. Here is the session as decoded by Tcpflow:
220-This is a United States Government (NOAA) computer system, which may be
220-accessed and used only for official Government business by authorized
220-personnel. Unauthorized access or use of this computer system may
220-subject violators to criminal, civil, and/or administrative action.
220 tgftp.nws.noaa.gov FTP server ready.
069.243.018.066.56925-205.156.051.200.00021: USER anonymous
205.156.051.200.00021-069.243.018.066.56925: 331 Guest login ok, send your complete
e-mail address as password.
069.243.018.066.56925-205.156.051.200.00021: PASS email@example.com
205.156.051.200.00021-069.243.018.066.56925: 230-Please read the file README.TXT
205.156.051.200.00021-069.243.018.066.56925: 230- it was last modified on Mon Aug 19 13:36:34 2002 - 1049 days ago
230 Guest login ok, access restrictions apply.
069.243.018.066.56925-205.156.051.200.00021: TYPE I
205.156.051.200.00021-069.243.018.066.56925: 200 Type set to I.
069.243.018.066.56925-205.156.051.200.00021: CWD /data/observations/metar/decoded
205.156.051.200.00021-069.243.018.066.56925: 250 CWD command successful.
069.243.018.066.56925-205.156.051.200.00021: SIZE YSSY.TXT
205.156.051.200.00021-069.243.018.066.56925: 213 413
069.243.018.066.56925-205.156.051.200.00021: MDTM YSSY.TXT
205.156.051.200.00021-069.243.018.066.56925: 213 20050704155232
205.156.051.200.00021-069.243.018.066.56925: 227 Entering Passive Mode (205,156,51,200,254,91)
069.243.018.066.56925-205.156.051.200.00021: RETR YSSY.TXT
205.156.051.200.00021-069.243.018.066.56925: 150 Opening BINARY mode data connection
for YSSY.TXT (413 bytes).
205.156.051.200.00021-069.243.018.066.56925: 226 Transfer complete.
205.156.051.200.00021-069.243.018.066.56925: 221 You could at least say goodbye.
I see that this was caused by a weather applet running on FreeSBIE, the FreeBSD live CD with which I was testing the mGuard PCI. This is completely benign, but I was not expecting to see a program perform a FTP connection on its own. This is the power of collecting NSM data -- you can figure out what is happening, once you know where to look. You also don't have to know what to look for before you start collecting data -- just grab as much as you can.