Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2161
Views
0
Helpful
2
Replies

Cyber Security Investigation IP Access Alert---108.171.130.166

Go to solution
YeMingjie
Level 1
Level 1

‎08-23-2016 08:37 PM - edited ‎03-08-2019 05:40 PM

Hi All

Recently we received a lots alerts from many different computers in USA that tried to connect to IP as 108.171.130.166.

And I do some IP lookup on Internet and found that it points to domain EGRESS207.CWS.SCO.CISCO.COM.

I just want to confirm what’s the use of EGRESS207.CWS.SCO.CISCO.COM?

Does it a cloud web security service? I know there are many accessXX.CWS.SCO.CISCO.COM to work as proxy, not sure if egressXX is the same use.

 

BR

Nelson

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Thomas Busch
Cisco Employee
Cisco Employee

‎08-24-2016 04:05 AM

Nelson, 

This IP address is associated with the CWS (cloud web security service) for access207. 

Each access tower is configured that there is an ingress IP (what you connect to) and an egress IP (what end websites see your traffic sourced from). 

For example in your case, you would point your connector/redirection method to the IP address 108.171.130.134 to have your traffic reach the tower and we would then take the traffic and send it to the end server sourcing it from our egress IP.

Note that your traffic should only be pointed to redirect to the ingress IP (access<number>) not the egress IP

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Thomas Busch
Cisco Employee
Cisco Employee

‎08-24-2016 04:05 AM

Nelson, 

This IP address is associated with the CWS (cloud web security service) for access207. 

Each access tower is configured that there is an ingress IP (what you connect to) and an egress IP (what end websites see your traffic sourced from). 

For example in your case, you would point your connector/redirection method to the IP address 108.171.130.134 to have your traffic reach the tower and we would then take the traffic and send it to the end server sourcing it from our egress IP.

Note that your traffic should only be pointed to redirect to the ingress IP (access<number>) not the egress IP

0 Helpful

Go to solution
YeMingjie
Level 1
Level 1
In response to Thomas Busch

‎08-25-2016 08:12 PM

Hi Thomas

Thanks for your explaination and you are correct that traffics in our company should only be pointed to redirect to the ingress IP, not the egress IP.

Just did some investigation and found that it is real some traffics in our company that point to egress ip directly, IP dst port is 31016, that's why i want to do some analysis.

Below is the raw log for your reference:

Aug 24 15:24:35 USPLWSEPM01 SymantecServer: BRCZOLXXXXXX,Local: 172.22.XX.XX,Local: 31016,Local: 3C970EC3509A,Remote: 108.171.130.166,Remote: ,Remote: 31016,Remote: 00000C07AC97,UDP,Outbound,Begin: 2016-08-24 15:20:44,End: 2016-08-24 15:20:44,Occurrences: 2,Application: C:/Program Files (x86)/Kontiki/KService.exe,Rule: Office - Block IP Addresses - Destination,Location: XX - Office,User: SISTEMA,Domain: AUTORIDADE NT,Action: Blocked

In our environment, we already block those traffics, but still created a lot of alerts for those kinds of connections.

BR

Nelson

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents