What's going on....
#1
Scooby Regular
Thread Starter
I was sighing at the thought of getting involved in a 'Super_Si' thread.....I always found that David had the most amusing way of dealing with them.
I did e-mail the contact at your place.....never heard anything back....
Jeff
Layer 2
[Edited by Jeff Wiltshire - 10/3/2002 2:35:36 PM]
I did e-mail the contact at your place.....never heard anything back....
Jeff
Layer 2
[Edited by Jeff Wiltshire - 10/3/2002 2:35:36 PM]
#2
Scooby Regular
Thread Starter
Nobody has asked any decent security questions in ages....
What's going on ? You lot become Firewall experts overnight or what
Jeff
What's going on ? You lot become Firewall experts overnight or what
Jeff
#3
Scooby Regular
Join Date: Feb 2002
Location: Lurkin Somewhere
Posts: 7,951
Likes: 0
Received 0 Likes
on
0 Posts
If your bored....
Briefly Describe the following pieces network hardware.
Explain the purpose and use of each and where each may be most likely used.
Bridge
Hub
Switch
Gateway
Firewall
I know the answer, just if your bored hehehe
Si
Briefly Describe the following pieces network hardware.
Explain the purpose and use of each and where each may be most likely used.
Bridge
Hub
Switch
Gateway
Firewall
I know the answer, just if your bored hehehe
Si
#4
Scooby Regular
Thread Starter
OK Si....if you know the answers...
How many different types of Firewall are there and what layer of the OSI model do they act on.....
Jeff
How many different types of Firewall are there and what layer of the OSI model do they act on.....
Jeff
#5
Since you asked Jeff.
A managed private WAN has many many small non-summarisbale RIPE networks. (for historic reasons). plus newer summarisbale RFC1918 address blocks. The ripe addresses although non-contiguous actaully fall within about 3 or 4 class A ranges.
The WAN has firewalled G/W to the internet which NATs the IP mess behined.
Size of WAN/number of concurrent connections now exceeds what a few simple Hide addresses can cope with. Currently OK as a PIX has a pool of such addresses. However network is moving to Nokia FW-1 which doesnt offer that feature.
Would You advise :-
a) Assign individual Hide addresses based on service. e.g. 1 for HTTP, 1 for HTTPs etc.. (Still prob too many HTTP connections though)
b) assign Hide address based on source IP. i.e one for 10.x.x.x one for 172.x.x.x , etc
c) Some other soln.
In the case of b) if my NAT rule is
Orig
Src: 100.0.0.0/8 (for example a class A which covers many smaller subnets)
Dest: Any
Service: Any
XLate
Src: a.ripe.address.here (Hide)
Dest: =orig
service: =orig
Assume 100.100.100.0 is a valid ripe subnt inside the wan.
This will work fine for packets from 100.100.100.0/24 to (say) 198.133.219.25
What about if the web server is 100.200.200.200. Will that NAT rule attempt to NAT the return packet from the web server (whose src now matches the rule) ?
Deano
p.s. why FW-1 dont have PAT pools is beyond me
A managed private WAN has many many small non-summarisbale RIPE networks. (for historic reasons). plus newer summarisbale RFC1918 address blocks. The ripe addresses although non-contiguous actaully fall within about 3 or 4 class A ranges.
The WAN has firewalled G/W to the internet which NATs the IP mess behined.
Size of WAN/number of concurrent connections now exceeds what a few simple Hide addresses can cope with. Currently OK as a PIX has a pool of such addresses. However network is moving to Nokia FW-1 which doesnt offer that feature.
Would You advise :-
a) Assign individual Hide addresses based on service. e.g. 1 for HTTP, 1 for HTTPs etc.. (Still prob too many HTTP connections though)
b) assign Hide address based on source IP. i.e one for 10.x.x.x one for 172.x.x.x , etc
c) Some other soln.
In the case of b) if my NAT rule is
Orig
Src: 100.0.0.0/8 (for example a class A which covers many smaller subnets)
Dest: Any
Service: Any
XLate
Src: a.ripe.address.here (Hide)
Dest: =orig
service: =orig
Assume 100.100.100.0 is a valid ripe subnt inside the wan.
This will work fine for packets from 100.100.100.0/24 to (say) 198.133.219.25
What about if the web server is 100.200.200.200. Will that NAT rule attempt to NAT the return packet from the web server (whose src now matches the rule) ?
Deano
p.s. why FW-1 dont have PAT pools is beyond me
#7
Scooby Regular
Thread Starter
Err....don't know nuthing about FW-1 mate, I only play with ZoneAlarm at home, doesn't that make me a Security Consultant ?????
Seriously though, which version of FW-1 will be used ?
To answer your last question first, the Firewall will indeed NAT the incoming packet from that Source address.
Is all of the Nat'ing done for outbound connection ? If so I would simple create a list of all of the networks and then group them and then create a NAT rule to Hide them behind the firewalls external address. Looking at your question I doubt that's the case.....
How many of the hosts need to be externally accesable ?
Jeff
Seriously though, which version of FW-1 will be used ?
To answer your last question first, the Firewall will indeed NAT the incoming packet from that Source address.
Is all of the Nat'ing done for outbound connection ? If so I would simple create a list of all of the networks and then group them and then create a NAT rule to Hide them behind the firewalls external address. Looking at your question I doubt that's the case.....
How many of the hosts need to be externally accesable ?
Jeff
Trending Topics
#8
Scooby Regular
Thread Starter
Si
In answer to my own question....
There are 3 types of firewall
1. Packet Filter - Layer 2 of the OSI model
2. Proxy or application filter at Layer 7
3. Stateful Inspection between Layer 2 & 3
In answer to my own question....
There are 3 types of firewall
1. Packet Filter - Layer 2 of the OSI model
2. Proxy or application filter at Layer 7
3. Stateful Inspection between Layer 2 & 3
#10
Jeff
Most definately only outbound connections.
Was hoping to have a mechanism that didnt rely on having mutiple nat rules each with a manually maintained group of specifics network objects. But that was the fallback.
If pushed I'd argue a packet filter is layer 3 and stateful inspection is layer 3/4. being a packet filter looks at the IP level and not the MAC level.
Deano
Most definately only outbound connections.
Was hoping to have a mechanism that didnt rely on having mutiple nat rules each with a manually maintained group of specifics network objects. But that was the fallback.
If pushed I'd argue a packet filter is layer 3 and stateful inspection is layer 3/4. being a packet filter looks at the IP level and not the MAC level.
Deano
#11
Scooby Regular
Thread Starter
Deano
You'll need to create objects for all your networks or you'll create potential security holes.
You will only need to create 1 Nat rule
Src= All Network Objects
Destination=Any
Protocol= Any
Translated
Src = Firewall Hide
Destination = Any
Protocol = Any
Jeff
You'll need to create objects for all your networks or you'll create potential security holes.
You will only need to create 1 Nat rule
Src= All Network Objects
Destination=Any
Protocol= Any
Translated
Src = Firewall Hide
Destination = Any
Protocol = Any
Jeff
#14
Yep you're right objects were going to exist for all subnets anyway. so it not that much more effort to creat the NAT rules.
We will definately need mutiple NAT ruls as a single HIDE address wont cope with the number of concurrent connections we have now @ peak times. let alone after the 4x increase ebing predicted.
Deano
We will definately need mutiple NAT ruls as a single HIDE address wont cope with the number of concurrent connections we have now @ peak times. let alone after the 4x increase ebing predicted.
Deano
#15
Scooby Regular
Thread Starter
How many concurrent connections are you going to have ????
I've not come across any limitation on number of sessions per Hide Address.......
Jeff
I've not come across any limitation on number of sessions per Hide Address.......
Jeff
#20
Scooby Regular
Thread Starter
OK
Having looked at the Nokia Support site it would appear that there are a number of issues.
Total Available connnections in the State Table (default is 25K)
Total allowed connections through one hide address (default is 25K maximum is 50K)
Total NAT connections to one IP address (25K)
You'll need to make changes to the objects.c file and probable increase the memory in the Box....
NG FP2 and higher will support 100,000 plus connections but it will require a increase in memory over the standard 256Mb for NG. The NAT restrictions remain however.
I think you might be better off using multiple firewalls and/or a hardware Proxy (like a NetApp).
Jeff
Having looked at the Nokia Support site it would appear that there are a number of issues.
Total Available connnections in the State Table (default is 25K)
Total allowed connections through one hide address (default is 25K maximum is 50K)
Total NAT connections to one IP address (25K)
You'll need to make changes to the objects.c file and probable increase the memory in the Box....
NG FP2 and higher will support 100,000 plus connections but it will require a increase in memory over the standard 256Mb for NG. The NAT restrictions remain however.
I think you might be better off using multiple firewalls and/or a hardware Proxy (like a NetApp).
Jeff
#21
I can say this with some authority..
David is in the Dry Dock pub in Leeds, leering at young pert students who wobble by. It's very troublesome trying to hold a conversation with him - he's just not listening...
The second pint should just about be over by now.
Nick.
David is in the Dry Dock pub in Leeds, leering at young pert students who wobble by. It's very troublesome trying to hold a conversation with him - he's just not listening...
The second pint should just about be over by now.
Nick.
#26
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
Si..........gh
Where's David Wallis when you need him ?
Where's David Wallis when you need him ?
Here I am...
Whats up Jeff Want to know about the osi model and firewalls
Did you ever mail that contact here?
Second pint is over wouldnt mind three
How old are us three.... id guess about 72 / 73
Im 22 though.
David
#30
im coming to leeds Uni never year you wait
"never year" - please tell me it means "I'm never going to Leeds uni".
Nick.
PS - Si -