Firewall Wizards mailing list archives

Re: NAT for a simple network

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Fri, 15 Aug 2003 15:27:34 +0200


"Robert E. Martin" wrote:


With reading the post about Home Appliances, the default is "allow 
any out", "deny any in" for > appliances like this. Does this mean 
this is "stateful packet inspection"? Are there any thoughts about this?


Sort of. Some of these little boxes make wonderful assumptions about 
how ports are allocated, used and re-used that indeed do work with the 
majority of applications. But when you get funkier than that, they have 
a tendency to get .. um .. confused. IPsec NAT traversal for instance 
confuses the heck out of the NAT in alcatel gateways -- try to initiate 
stuff in the wrong order and you'll end up waiting for the states to 
time out before you can try again.

So, for such "Home Appliances" I guess you could say that they "keep 
state" if you're in a good mood, but the way that it assumes what's 
"outside" and "inside" and how port allocation works makes it more 
along the lines of a singleminded port mapping table than a real 
connection tracker.

Now, having said that, the average small company has security
problems far worse than the risk for some überh4x0r to come
along and play with their firewall state tables. Reading e-mail
with outlook and surfing with IE and not keeping up on patches
and antivirus updates has so far been far worse than having a 
shoddy firewall, so unless you're fixing that, I wouldn't worry 
overly much about the state tracker. 

Again: this is the _average_ small company. _Your_ security
policy is your own, and I make no assumptions about that.
I also do not make any promises about there not showing up
automated tools to tinker with dumb state trackers at some
point in the future.

Security is fun, isn't it? :)

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

"Senex semper diu dormit"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

NAT for a simple network Robert E. Martin (Aug 13)
- Re: NAT for a simple network Mikael Olsson (Aug 15)
- <Possible follow-ups>
- re: NAT for a simple network Mike Hoskins (Aug 15)
- re: NAT for a simple network Robert E. Martin (Aug 15)
  - Re: re: NAT for a simple network R. DuFresne (Aug 17)