RE: Encryption through NAT and State table

["Firegoblin Postmaster" <postmaster () firegoblin com>]

AFAIK 'statefulness' can be used in more than one sense.

A Layer4 firewall can use TCP connection *state* to link inbound and
outbound traffic, whereas a Layer3 'stateful' firewall uses socket pairs
i.e. IP:Port <-> IP:Port (so that sessionless protocols such as UDP can be
controlled).

As the term 'stateful' firewall doesn't have a precise technical definition
(that I know of) they can both be (and are!)described as 'stateful' - though
many will argue about the latter!!

The problem of running an IPSec VPN in your situation would be the key
exchange. Many cheap SOHO routers (i.e. ?50) will automaticallly forward the
IKE traffic (UDP/500) for a local IPSec node (so called IPSec Pass-Thru)
when an IPSec VPN is 'detected', if the PIX can do the same you could be in
business.

-----Original Message-----
From: Gwydion Mine [mailto:Gwydion () myrealbox com]
Sent: 13 June 2003 10:07
To: security-basics () securityfocus com
Subject: Encryption through NAT and State table


Hello Chaps,

I need to get a VPN working to a client site. Problem is that for one reason
or another they do not want to configure inbound rules, only outbound, on
their firewall (PIX). For this reason I will not be able to initiate the
connection to our VPN end-point on the client network and instead will get
this VPN end-point to send keep-alives to my end every so often to keep the
VPN online.

My problem is what protocol to use LPTP or IPSec (IKE, AH, ESP). Their
network is on a 1918 and so the encrypted packets will need to flow through
the NAT table on the PIX. On top of this, because of the lack of inbound
connections, I guess it also needs to be statful so that the PIX will allow
the return connections....

I know that by allowing GRE on a pix the above will work for PPTP (and would
assume LPTP) but ideally I want to use IPSec. ALSO, I just want to know how
it works 'cause I thought state worked on layer 4 - so in tunnel mode how
does the state table work for the PPTP connection?

Does this make sense? Any ideas would be very much appreciated.

Thanks!!

Gwyd




---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------