Firewall Wizards mailing list archives
Re: NAT for a simple network
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Fri, 15 Aug 2003 15:27:34 +0200
"Robert E. Martin" wrote:
With reading the post about Home Appliances, the default is "allow any out", "deny any in" for > appliances like this. Does this mean this is "stateful packet inspection"? Are there any thoughts about this?
Sort of. Some of these little boxes make wonderful assumptions about how ports are allocated, used and re-used that indeed do work with the majority of applications. But when you get funkier than that, they have a tendency to get .. um .. confused. IPsec NAT traversal for instance confuses the heck out of the NAT in alcatel gateways -- try to initiate stuff in the wrong order and you'll end up waiting for the states to time out before you can try again. So, for such "Home Appliances" I guess you could say that they "keep state" if you're in a good mood, but the way that it assumes what's "outside" and "inside" and how port allocation works makes it more along the lines of a singleminded port mapping table than a real connection tracker. Now, having said that, the average small company has security problems far worse than the risk for some überh4x0r to come along and play with their firewall state tables. Reading e-mail with outlook and surfing with IE and not keeping up on patches and antivirus updates has so far been far worse than having a shoddy firewall, so unless you're fixing that, I wouldn't worry overly much about the state tracker. Again: this is the _average_ small company. _Your_ security policy is your own, and I make no assumptions about that. I also do not make any promises about there not showing up automated tools to tinker with dumb state trackers at some point in the future. Security is fun, isn't it? :) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NAT for a simple network Robert E. Martin (Aug 13)
- Re: NAT for a simple network Mikael Olsson (Aug 15)
- <Possible follow-ups>
- re: NAT for a simple network Mike Hoskins (Aug 15)
- re: NAT for a simple network Robert E. Martin (Aug 15)
- Re: re: NAT for a simple network R. DuFresne (Aug 17)