Penetration Testing mailing list archives
Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions
From: Deri Jones <Deri.Jones () NTA-MONITOR COM>
Date: Wed, 27 Sep 2000 18:20:15 +0100
Leon At 11:27 27/09/00 -0400, you wrote:
snipped...... The network has no remote access points (it does not have a VPN or any Dial-Up Servers). It has only a sever, router, & firewall.
You don't say what brand/version of firewall. Talking about the theory of NAT/SPI etc is useful, but in the real world, it's the real products that count. Many products add extra 'management' functionality and stuff, that can make two NAT boxes totally different. You also don't say what services you do intend to allow through the firewall - the less you allow, the less scope for problems. Lastly, testing also needs to be more than justa 'firewall' test - test the router (it's outside the FW's protection), test all the servers that are publicly visible (letting SMTP through to an email server that allows mail relaying opens you up to be through-spammed, no matter the firewall is there, etc). Pen testing is not as romantic as some would suggest - alot of it is ploughing boringly through *alot* of tests. You might also wonder, whether it would also be helpful to your friend to call in some experienced testers, and you can observe and help out. It would be a shame to have saved your friend a few bucks by you doing the job, only for him to have problems in an area just beyond the horizon where you had looked... Deri Jones NTA Monitor
Current thread:
- [PEN-TEST] NAT / Stateful Packet Inspection Questions Leon Rosenstein (Sep 27)
- Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions Jose Nazario (Sep 27)
- Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions David Pick (Sep 27)
- Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions Deri Jones (Sep 27)
- Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions Andre Delafontaine (Sep 27)
- Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions Dug Song (Sep 27)
- <Possible follow-ups>
- Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions Loschiavo, Dave (Sep 29)
- Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions Fred Mobach (Sep 29)