What's going on....
Thread Starter
Scooby Regular
Joined: Nov 2000
Posts: 2,021
Likes: 1
From: 412 Wheel HP Audi RS4
I was sighing at the thought of getting involved in a 'Super_Si' thread.....I always found that David had the most amusing way of dealing with them.
I did e-mail the contact at your place.....never heard anything back....
Jeff
Layer 2
[Edited by Jeff Wiltshire - 10/3/2002 2:35:36 PM]
I did e-mail the contact at your place.....never heard anything back....
Jeff
Layer 2
[Edited by Jeff Wiltshire - 10/3/2002 2:35:36 PM]
Scooby Regular
Joined: Feb 2002
Posts: 7,951
Likes: 0
From: Lurkin Somewhere
If your bored....
Briefly Describe the following pieces network hardware.
Explain the purpose and use of each and where each may be most likely used.
Bridge
Hub
Switch
Gateway
Firewall
I know the answer, just if your bored hehehe
Si
Briefly Describe the following pieces network hardware.
Explain the purpose and use of each and where each may be most likely used.
Bridge
Hub
Switch
Gateway
Firewall
I know the answer, just if your bored hehehe
Si
Scooby Regular
Joined: Mar 1999
Posts: 4,518
Likes: 0
Since you asked Jeff.
A managed private WAN has many many small non-summarisbale RIPE networks. (for historic reasons). plus newer summarisbale RFC1918 address blocks. The ripe addresses although non-contiguous actaully fall within about 3 or 4 class A ranges.
The WAN has firewalled G/W to the internet which NATs the IP mess behined.
Size of WAN/number of concurrent connections now exceeds what a few simple Hide addresses can cope with. Currently OK as a PIX has a pool of such addresses. However network is moving to Nokia FW-1 which doesnt offer that feature.
Would You advise :-
a) Assign individual Hide addresses based on service. e.g. 1 for HTTP, 1 for HTTPs etc.. (Still prob too many HTTP connections though)
b) assign Hide address based on source IP. i.e one for 10.x.x.x one for 172.x.x.x , etc
c) Some other soln.
In the case of b) if my NAT rule is
Orig
Src: 100.0.0.0/8 (for example a class A which covers many smaller subnets)
Dest: Any
Service: Any
XLate
Src: a.ripe.address.here (Hide)
Dest: =orig
service: =orig
Assume 100.100.100.0 is a valid ripe subnt inside the wan.
This will work fine for packets from 100.100.100.0/24 to (say) 198.133.219.25
What about if the web server is 100.200.200.200. Will that NAT rule attempt to NAT the return packet from the web server (whose src now matches the rule) ?
Deano
p.s. why FW-1 dont have PAT pools is beyond me
A managed private WAN has many many small non-summarisbale RIPE networks. (for historic reasons). plus newer summarisbale RFC1918 address blocks. The ripe addresses although non-contiguous actaully fall within about 3 or 4 class A ranges.
The WAN has firewalled G/W to the internet which NATs the IP mess behined.
Size of WAN/number of concurrent connections now exceeds what a few simple Hide addresses can cope with. Currently OK as a PIX has a pool of such addresses. However network is moving to Nokia FW-1 which doesnt offer that feature.
Would You advise :-
a) Assign individual Hide addresses based on service. e.g. 1 for HTTP, 1 for HTTPs etc.. (Still prob too many HTTP connections though)
b) assign Hide address based on source IP. i.e one for 10.x.x.x one for 172.x.x.x , etc
c) Some other soln.
In the case of b) if my NAT rule is
Orig
Src: 100.0.0.0/8 (for example a class A which covers many smaller subnets)
Dest: Any
Service: Any
XLate
Src: a.ripe.address.here (Hide)
Dest: =orig
service: =orig
Assume 100.100.100.0 is a valid ripe subnt inside the wan.
This will work fine for packets from 100.100.100.0/24 to (say) 198.133.219.25
What about if the web server is 100.200.200.200. Will that NAT rule attempt to NAT the return packet from the web server (whose src now matches the rule) ?
Deano
p.s. why FW-1 dont have PAT pools is beyond me
Thread Starter
Scooby Regular
Joined: Nov 2000
Posts: 2,021
Likes: 1
From: 412 Wheel HP Audi RS4
Err....don't know nuthing about FW-1 mate, I only play with ZoneAlarm at home, doesn't that make me a Security Consultant ?????
Seriously though, which version of FW-1 will be used ?
To answer your last question first, the Firewall will indeed NAT the incoming packet from that Source address.
Is all of the Nat'ing done for outbound connection ? If so I would simple create a list of all of the networks and then group them and then create a NAT rule to Hide them behind the firewalls external address. Looking at your question I doubt that's the case.....
How many of the hosts need to be externally accesable ?
Jeff
Seriously though, which version of FW-1 will be used ?
To answer your last question first, the Firewall will indeed NAT the incoming packet from that Source address.
Is all of the Nat'ing done for outbound connection ? If so I would simple create a list of all of the networks and then group them and then create a NAT rule to Hide them behind the firewalls external address. Looking at your question I doubt that's the case.....
How many of the hosts need to be externally accesable ?
Jeff
Trending Topics
Thread Starter
Scooby Regular
Joined: Nov 2000
Posts: 2,021
Likes: 1
From: 412 Wheel HP Audi RS4
Si
In answer to my own question....
There are 3 types of firewall
1. Packet Filter - Layer 2 of the OSI model
2. Proxy or application filter at Layer 7
3. Stateful Inspection between Layer 2 & 3
In answer to my own question....
There are 3 types of firewall
1. Packet Filter - Layer 2 of the OSI model
2. Proxy or application filter at Layer 7
3. Stateful Inspection between Layer 2 & 3
Scooby Regular
Joined: Mar 1999
Posts: 4,518
Likes: 0
Jeff
Most definately only outbound connections.
Was hoping to have a mechanism that didnt rely on having mutiple nat rules each with a manually maintained group of specifics network objects. But that was the fallback.
If pushed I'd argue a packet filter is layer 3 and stateful inspection is layer 3/4. being a packet filter looks at the IP level and not the MAC level.
Deano
Most definately only outbound connections.
Was hoping to have a mechanism that didnt rely on having mutiple nat rules each with a manually maintained group of specifics network objects. But that was the fallback.
If pushed
I'd argue a packet filter is layer 3 and stateful inspection is layer 3/4. being a packet filter looks at the IP level and not the MAC level.Deano
Thread Starter
Scooby Regular
Joined: Nov 2000
Posts: 2,021
Likes: 1
From: 412 Wheel HP Audi RS4
Deano
You'll need to create objects for all your networks or you'll create potential security holes.
You will only need to create 1 Nat rule
Src= All Network Objects
Destination=Any
Protocol= Any
Translated
Src = Firewall Hide
Destination = Any
Protocol = Any
Jeff
You'll need to create objects for all your networks or you'll create potential security holes.
You will only need to create 1 Nat rule
Src= All Network Objects
Destination=Any
Protocol= Any
Translated
Src = Firewall Hide
Destination = Any
Protocol = Any
Jeff
Scooby Regular
Joined: Mar 1999
Posts: 4,518
Likes: 0
Yep you're right objects were going to exist for all subnets anyway. so it not that much more effort to creat the NAT rules.
We will definately need mutiple NAT ruls as a single HIDE address wont cope with the number of concurrent connections we have now @ peak times. let alone after the 4x increase ebing predicted.
Deano
We will definately need mutiple NAT ruls as a single HIDE address wont cope with the number of concurrent connections we have now @ peak times. let alone after the 4x increase ebing predicted.
Deano
Thread Starter
Scooby Regular
Joined: Nov 2000
Posts: 2,021
Likes: 1
From: 412 Wheel HP Audi RS4
OK
Having looked at the Nokia Support site it would appear that there are a number of issues.
Total Available connnections in the State Table (default is 25K)
Total allowed connections through one hide address (default is 25K maximum is 50K)
Total NAT connections to one IP address (25K)
You'll need to make changes to the objects.c file and probable increase the memory in the Box....
NG FP2 and higher will support 100,000 plus connections but it will require a increase in memory over the standard 256Mb for NG. The NAT restrictions remain however.
I think you might be better off using multiple firewalls and/or a hardware Proxy (like a NetApp).
Jeff
Having looked at the Nokia Support site it would appear that there are a number of issues.
Total Available connnections in the State Table (default is 25K)
Total allowed connections through one hide address (default is 25K maximum is 50K)
Total NAT connections to one IP address (25K)
You'll need to make changes to the objects.c file and probable increase the memory in the Box....
NG FP2 and higher will support 100,000 plus connections but it will require a increase in memory over the standard 256Mb for NG. The NAT restrictions remain however.
I think you might be better off using multiple firewalls and/or a hardware Proxy (like a NetApp).
Jeff
Scooby Regular
Joined: Jun 2000
Posts: 13,735
Likes: 0
I can say this with some authority..
David is in the Dry Dock pub in Leeds, leering at young pert students who wobble by. It's very troublesome trying to hold a conversation with him - he's just not listening...
The second pint should just about be over by now.
Nick.
David is in the Dry Dock pub in Leeds, leering at young pert students who wobble by. It's very troublesome trying to hold a conversation with him - he's just not listening...
The second pint should just about be over by now.
Nick.
Scooby Regular
Joined: Nov 2001
Posts: 15,239
Likes: 1
From: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Si..........gh
Where's David Wallis when you need him ?
Where's David Wallis when you need him ?
Here I am...
Whats up Jeff Want to know about the osi model and firewalls
Did you ever mail that contact here?
Second pint is over
wouldnt mind three How old are us three.... id guess about 72 / 73
Im 22 though.
David