Re: The Firewall's A Dud?

From: JR (notlikely@nowhere.com)
Date: 01/04/03


From: "JR" <notlikely@nowhere.com>
Date: Sat, 4 Jan 2003 10:09:48 -0500


<F-Y-I> wrote in message news:qaqd1vkml655a7ti8vebna2d26kvdp2e9r@4ax.com...
> Duane -
>
> For this Newbie ... what does NAT and SPI mean. I have seen this in
> this NG but never explained.
>
> tia
>
> On Sat, 04 Jan 2003 06:49:44 GMT, "Duane Arnold" <notme@notme.com>
> wrote:
>
> >> But I got the idea to test the
> >> system using Sygate's scanning programs from the Sygate website
> >
> >If those ports are *closed*, that's 'really all that counts. If you're
> >talking about being stealthed, it's a bunch of crap from a software
firewall
> >perspective.
> >
> >If you truly want to be stealthed, then get a NAT router with SPI and get
> >behind it. And then your machine is stealthed.
> >
> > > IDS programs
> >
> >And may I ask what IDS program you're using?
> >
> >Duane :)
> >
>
SPI - Stateful Packet Inspection, invented by Checkpoint is a firewall
architecture that keeps track of requests made by the user. To really over
simplify it, if you wanted to check your hotmail account, your machine would
send out a request to 64.4.53.7 port 80 from a port above 1023 on your
machine. The SPI firewall will only allow back in, a request from 64.4.53.7
through the same temporarily opened port (above 1023).

NAT - Network Address Translation is where an internal network address is
translated to an external address. The internal address can be in the
private address ranges, and translated to one or more valid external IPs,
depending on the type of NAT used.

JR



Relevant Pages

  • Re: IOS Firewall SPI and NAPT
    ... I'm using SPI and NAT. ... So if an attacker guesses the source port he also needs to spoof the source address to get his packet through the pinhole. ...
    (comp.dcom.sys.cisco)
  • Re: NAT is not a mechanism for securing a network.. but.. HELP!
    ... >> Well the firmware for the 11S4 router has no FW like software like ... >> SPI so it wasn't and is not doing packet inspection. ... >> article Watchguard put out awhile back about how NAT routers can be ... > device opens a port by putting it in the NAT table, ...
    (comp.security.firewalls)
  • Re: NAT and Keep State IP Rule
    ... > I am starting to understand NAT and IP rules but I am still puzzled ... SPI was a feature of the firmware for the Linksys BEFW11S4 routers and had ... machine on port 80. ... IP/machine on the router. ...
    (comp.security.firewalls)
  • Re: Plusnet 2Mbps connection
    ... >> Stateful Packet Inspection (SPI). ... The NAT firewall hides computers on ... >> through the firewall to the connected computers. ...
    (uk.people.silversurfers)
  • Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)
    ... VPN end points behind NAT as long as each one has a unique address at ... >>outbound SPI are, in general, completely indpendent values. ... > using IKE cookie matching. ... The IKE cookies, the IKE-SPI, do not have anything to do with IPsec ...
    (freebsd-isp)