Re: Opinions: To NAT or not to NAT?

From: Alec (alec_at_nospam.com)
Date: 06/22/04


Date: Tue, 22 Jun 2004 06:23:04 GMT


"SysAdm" <willgeeza@yahoo.com> wrote in message
news:a23233af.0406211436.4f27bed4@posting.google.com...
> "Alec" <alec@nospam.com> wrote in message
news:<EqEBc.7778$Tx3.3582@newssvr24.news.prodigy.com>...

<snip>

> "...Not only is the flaw infamous, but here is the worst:
> NetScreen devised a FAKE, dummy screening option: "bypass non-IP
> traffic". Toggling it on or off has absolutely no effect..."
>
> But anyhow - rather than copy paste, it would be worth reading the
> article. It seems that the testing was carried out using Bridge mode.
> This was where my memory failed me with my reference to fail-open.
> The exploit patently didnt even need the firewall module to fail in
> order to be effective.
>
> So, fail-open or not it seems that the flaw was even more serious.
> Again, this was last July. I am uncertain at this time whether the
> bug has been rectified. According to the report, Netscreen were
> notified.
>
> ps. hope I wasnt rude...
>
> SysAdm

No problems. This was the issue I thought you might have been referring to,
however non-IP protocol processing is not the same as saying "fails open".
Those concepts are very different in my mind, although I do agree that
passing non-IP protocols without the user aware of (and in control of) that
behavior is a very serious security breach in its own right. However, I do
believe the information is out-of-date. Although I haven't done exhaustive
testing with many non-IP protocols, I nevertheless feel fairly confident
that at least in version 5.0 of ScreenOS that the "unset interface vlan1
bypass-non-ip-all" function does indeed block all non-IP and non-ARP
traffic. I think one of the difficulties is in configuring the device to
properly block most non-ip protocols and yet still support some perhaps
desired layer 2 non-ip protocols like the Spanning Tree Protocol. There
could, perhaps, still be finer grained layer 2 non-ip blocking mechanisms,
but I do believe the full block does now work.

I didn't mean to be rude either, I just had never had any real problems with
a transparent mode firewall of the type you mentioned and so I was certainly
interested. I believe that there are certain positives, and negatives, to
almost all of the firewall devices out there right now. Competition has been
good for the firewall market, IMHO. I certainly hope the Nokia's work out
well for you. They have some good gear, although I don't think its right for
every situation... just as I don't think that NetScreen is right for every
situation. I am just trying to be objective. The initial question involved
transparent firewalling and NetScreen happens to be one of the first I think
of when it comes to transparent mode firewalling. That's all.

Alec