Jeff Wiltshire

I was sighing at the thought of getting involved in a 'Super_Si' thread.....I always found that David had the most amusing way of dealing with them.

I did e-mail the contact at your place.....never heard anything back....


Jeff

Layer 2

[Edited by Jeff Wiltshire - 10/3/2002 2:35:36 PM]

Jeff Wiltshire

Nobody has asked any decent security questions in ages....

What's going on ? You lot become Firewall experts overnight or what


Jeff

super_si

If your bored....

Briefly Describe the following pieces network hardware.
Explain the purpose and use of each and where each may be most likely used.


Bridge
Hub
Switch
Gateway
Firewall

I know the answer, just if your bored hehehe

Si

Jeff Wiltshire

OK Si....if you know the answers...

How many different types of Firewall are there and what layer of the OSI model do they act on.....

Jeff

dsmith

Since you asked Jeff.

A managed private WAN has many many small non-summarisbale RIPE networks. (for historic reasons). plus newer summarisbale RFC1918 address blocks. The ripe addresses although non-contiguous actaully fall within about 3 or 4 class A ranges.

The WAN has firewalled G/W to the internet which NATs the IP mess behined.

Size of WAN/number of concurrent connections now exceeds what a few simple Hide addresses can cope with. Currently OK as a PIX has a pool of such addresses. However network is moving to Nokia FW-1 which doesnt offer that feature.

Would You advise :-

a) Assign individual Hide addresses based on service. e.g. 1 for HTTP, 1 for HTTPs etc.. (Still prob too many HTTP connections though)

b) assign Hide address based on source IP. i.e one for 10.x.x.x one for 172.x.x.x , etc

c) Some other soln.

In the case of b) if my NAT rule is

Orig
Src: 100.0.0.0/8 (for example a class A which covers many smaller subnets)
Dest: Any
Service: Any

XLate
Src: a.ripe.address.here (Hide)
Dest: =orig
service: =orig

Assume 100.100.100.0 is a valid ripe subnt inside the wan.

This will work fine for packets from 100.100.100.0/24 to (say) 198.133.219.25

What about if the web server is 100.200.200.200. Will that NAT rule attempt to NAT the return packet from the web server (whose src now matches the rule) ?

Deano

p.s. why FW-1 dont have PAT pools is beyond me

super_si

i really couldnt tell you off top my head being honest

When there built into a router is it Firmware or Embedded software?
Cheers dean
Si

Jeff Wiltshire

Err....don't know nuthing about FW-1 mate, I only play with ZoneAlarm at home, doesn't that make me a Security Consultant ?????


Seriously though, which version of FW-1 will be used ?

To answer your last question first, the Firewall will indeed NAT the incoming packet from that Source address.

Is all of the Nat'ing done for outbound connection ? If so I would simple create a list of all of the networks and then group them and then create a NAT rule to Hide them behind the firewalls external address. Looking at your question I doubt that's the case.....

How many of the hosts need to be externally accesable ?


Jeff

Jeff Wiltshire

Si

In answer to my own question....

There are 3 types of firewall

1. Packet Filter - Layer 2 of the OSI model
2. Proxy or application filter at Layer 7
3. Stateful Inspection between Layer 2 & 3

super_si

ive read all the above... Just never really come across NAT

dsmith

Jeff

Most definately only outbound connections.

Was hoping to have a mechanism that didnt rely on having mutiple nat rules each with a manually maintained group of specifics network objects. But that was the fallback.

If pushed I'd argue a packet filter is layer 3 and stateful inspection is layer 3/4. being a packet filter looks at the IP level and not the MAC level.


Deano

Jeff Wiltshire

Deano

You'll need to create objects for all your networks or you'll create potential security holes.

You will only need to create 1 Nat rule

Src= All Network Objects
Destination=Any
Protocol= Any

Translated
Src = Firewall Hide
Destination = Any
Protocol = Any


Jeff

super_si

but whats NAT

Jeff Wiltshire

Network Address Translation

dsmith

Yep you're right objects were going to exist for all subnets anyway. so it not that much more effort to creat the NAT rules.

We will definately need mutiple NAT ruls as a single HIDE address wont cope with the number of concurrent connections we have now @ peak times. let alone after the 4x increase ebing predicted.

Deano

Jeff Wiltshire

How many concurrent connections are you going to have ????


I've not come across any limitation on number of sessions per Hide Address.......


Jeff

super_si

Cheers lads!!

I know your all networking, But i enjoy programming, but also thinkin networking would be good. But not much knowledge on them

Si

Jeff Wiltshire

Si..........gh

Where's David Wallis when you need him ?

super_si

im still waiting for his email back actually

dsmith

Peak we've seen 90K. 75K typical Monday Lunchtime.

NAT uses the xlated source port to track the connection ? theres only 65K available ports... ?

Jeff Wiltshire

OK

Having looked at the Nokia Support site it would appear that there are a number of issues.

Total Available connnections in the State Table (default is 25K)
Total allowed connections through one hide address (default is 25K maximum is 50K)
Total NAT connections to one IP address (25K)

You'll need to make changes to the objects.c file and probable increase the memory in the Box....

NG FP2 and higher will support 100,000 plus connections but it will require a increase in memory over the standard 256Mb for NG. The NAT restrictions remain however.


I think you might be better off using multiple firewalls and/or a hardware Proxy (like a NetApp).



Jeff

chiark

I can say this with some authority..

David is in the Dry Dock pub in Leeds, leering at young pert students who wobble by. It's very troublesome trying to hold a conversation with him - he's just not listening...

The second pint should just about be over by now.

Nick.

chiark

This is a muppety thread, so...

"Corner"

super_si

lol dirty old men

chiark

I think "man" is probably right. Steve and I, being married men (not to each other I hasten to add), do not do this.

Or at least if we do, we're a hell of a lot more subtle

super_si

lol
how old are the three you ??

im coming to leeds Uni never year you wait

David_Wallis

does gh mean go home

Here I am...

Whats up Jeff Want to know about the osi model and firewalls

Did you ever mail that contact here?

Second pint is over wouldnt mind three

How old are us three.... id guess about 72 / 73

Im 22 though.

David

dsmith

Shame scoobynet cant do polls. we could have a vote on which layer packet filters work at

super_si

I mailed you the other night about how you got banned lol.

How much do you lot spend a week on drink ??

Jeff Wiltshire

Anyway....this was a serious thread until the a moderator turned it into a muppet thread

chiark

Could someone translate that from Si to English?

"never year" - please tell me it means "I'm never going to Leeds uni".

Nick.
PS - Si -