Re: [fw-wiz] NAT for a simple network
From: Mikael Olsson (mikael.olsson_at_clavister.com)
To: "Robert E. Martin" <email@example.com> Date: Fri, 15 Aug 2003 15:27:34 +0200
"Robert E. Martin" wrote:
> With reading the post about Home Appliances, the default is "allow
> any out", "deny any in" for > appliances like this. Does this mean
> this is "stateful packet inspection"? Are there any thoughts about this?
Sort of. Some of these little boxes make wonderful assumptions about
how ports are allocated, used and re-used that indeed do work with the
majority of applications. But when you get funkier than that, they have
a tendency to get .. um .. confused. IPsec NAT traversal for instance
confuses the heck out of the NAT in alcatel gateways -- try to initiate
stuff in the wrong order and you'll end up waiting for the states to
time out before you can try again.
So, for such "Home Appliances" I guess you could say that they "keep
state" if you're in a good mood, but the way that it assumes what's
"outside" and "inside" and how port allocation works makes it more
along the lines of a singleminded port mapping table than a real
Now, having said that, the average small company has security
problems far worse than the risk for some überh4x0r to come
along and play with their firewall state tables. Reading e-mail
with outlook and surfing with IE and not keeping up on patches
and antivirus updates has so far been far worse than having a
shoddy firewall, so unless you're fixing that, I wouldn't worry
overly much about the state tracker.
Again: this is the _average_ small company. _Your_ security
policy is your own, and I make no assumptions about that.
I also do not make any promises about there not showing up
automated tools to tinker with dumb state trackers at some
point in the future.
Security is fun, isn't it? :)
-- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards