Re: [fw-wiz] NAT for a simple network

From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 08/15/03

  • Next message: Ames, Neil: "RE: [fw-wiz] worm + VPN + firewall"
    To: "Robert E. Martin" <rmartin@fishburne.org>
    Date: Fri, 15 Aug 2003 15:27:34 +0200
    
    

    "Robert E. Martin" wrote:
    >
    > With reading the post about Home Appliances, the default is "allow
    > any out", "deny any in" for > appliances like this. Does this mean
    > this is "stateful packet inspection"? Are there any thoughts about this?

    Sort of. Some of these little boxes make wonderful assumptions about
    how ports are allocated, used and re-used that indeed do work with the
    majority of applications. But when you get funkier than that, they have
    a tendency to get .. um .. confused. IPsec NAT traversal for instance
    confuses the heck out of the NAT in alcatel gateways -- try to initiate
    stuff in the wrong order and you'll end up waiting for the states to
    time out before you can try again.

    So, for such "Home Appliances" I guess you could say that they "keep
    state" if you're in a good mood, but the way that it assumes what's
    "outside" and "inside" and how port allocation works makes it more
    along the lines of a singleminded port mapping table than a real
    connection tracker.

    Now, having said that, the average small company has security
    problems far worse than the risk for some überh4x0r to come
    along and play with their firewall state tables. Reading e-mail
    with outlook and surfing with IE and not keeping up on patches
    and antivirus updates has so far been far worse than having a
    shoddy firewall, so unless you're fixing that, I wouldn't worry
    overly much about the state tracker.

    Again: this is the _average_ small company. _Your_ security
    policy is your own, and I make no assumptions about that.
    I also do not make any promises about there not showing up
    automated tools to tinker with dumb state trackers at some
    point in the future.

    Security is fun, isn't it? :)

    -- 
    Mikael Olsson, Clavister AB
    Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
    Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
    "Senex semper diu dormit"
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Ames, Neil: "RE: [fw-wiz] worm + VPN + firewall"

    Relevant Pages

    • Re: ISA 2004 and SBS websites
      ... And that one if left enabled will keep the firewall service ... Call to Reading hardware selection returned ok. ... Call to Reading web publishing selection returned ok. ... Call to Notifying client setup for Default gateway as the SBS server ...
      (microsoft.public.windows.server.sbs)
    • Re: SBS 2003 Exchange/Outlook RPC via HTTPS configuration issues
      ... How to Install a Public 3rd Party SSL Certificate on IIS on SBS 2003 ... Call to Reading the firewall selection returned ok. ... Firewall Rule: SBS DHCP Client ...
      (microsoft.public.windows.server.sbs)
    • Re: Router/Firewall Recommendation
      ... he wants to know his options with linux firewall. ... just by reading this threads I learn what my options are ...
      (RedHat)
    • Re: I am absolutely STUNNED, thanks to the NG Experts Ive discovered a major security hole.
      ... > arms by installing things like Kaaza, ... In fact I would argue that one software and one hardware firewall ... Using an on-line virus checker from some companies is just ... Reading your post causes more alarm. ...
      (microsoft.public.windowsxp.general)