Re: [fw-wiz] NAT for a simple network

From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 08/15/03

  • Next message: Ames, Neil: "RE: [fw-wiz] worm + VPN + firewall"
    To: "Robert E. Martin" <rmartin@fishburne.org>
    Date: Fri, 15 Aug 2003 15:27:34 +0200
    
    

    "Robert E. Martin" wrote:
    >
    > With reading the post about Home Appliances, the default is "allow
    > any out", "deny any in" for > appliances like this. Does this mean
    > this is "stateful packet inspection"? Are there any thoughts about this?

    Sort of. Some of these little boxes make wonderful assumptions about
    how ports are allocated, used and re-used that indeed do work with the
    majority of applications. But when you get funkier than that, they have
    a tendency to get .. um .. confused. IPsec NAT traversal for instance
    confuses the heck out of the NAT in alcatel gateways -- try to initiate
    stuff in the wrong order and you'll end up waiting for the states to
    time out before you can try again.

    So, for such "Home Appliances" I guess you could say that they "keep
    state" if you're in a good mood, but the way that it assumes what's
    "outside" and "inside" and how port allocation works makes it more
    along the lines of a singleminded port mapping table than a real
    connection tracker.

    Now, having said that, the average small company has security
    problems far worse than the risk for some überh4x0r to come
    along and play with their firewall state tables. Reading e-mail
    with outlook and surfing with IE and not keeping up on patches
    and antivirus updates has so far been far worse than having a
    shoddy firewall, so unless you're fixing that, I wouldn't worry
    overly much about the state tracker.

    Again: this is the _average_ small company. _Your_ security
    policy is your own, and I make no assumptions about that.
    I also do not make any promises about there not showing up
    automated tools to tinker with dumb state trackers at some
    point in the future.

    Security is fun, isn't it? :)

    -- 
    Mikael Olsson, Clavister AB
    Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
    Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
    "Senex semper diu dormit"
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Ames, Neil: "RE: [fw-wiz] worm + VPN + firewall"