On Fri, Jan 6, 2017, at 03:21 PM, Ryan Coleman wrote: > > > On Jan 5, 2017, at 4:02 PM, LB <l at lhb.me> wrote: > > > > 3. Our on premise router is compromised (I doubt it) > > This is a very interesting possiblity… > What’s the premise router running? Who made it? > It's a SonicWALL NSA 3600 series (actually 2 in and HA cluster). Firmware is up-to-date. I have not heard of any exploits for the SonicWALL, but that doesn't mean they don't exist. Remote management is turned off and I keep it pretty locked down to both inbound and outbound traffic. For example, DNS queries to the Internet are only allowed from specific internal DNS servers and only to specific Internet DNS servers. Unauthenticated traffic is restricted to 80 and 443 outbound and subject to geo-ip, botnet and other content filtering rules. There are a few inbound ports open but those are filtered pretty heavily and terminate in DMZ hosts. One thing though. We do have a Cisco managed switch (one of the Linksys-type low-end switches) that acts as a failover switch for the SonicWALLs. It is partitioned into several 4 port "logical switches" using untagged VLANs. One of the untagged VLAN partitions has WAN connections (Internet side of the SonicWALL). However, there is no IP assigned to the WAN VLAN interface and all management services have been unbound from that VLAN interface.