LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Somewhat OT: Dynamic vs. Static NAT?

[ILUG] Somewhat OT: Dynamic vs. Static NAT?

Colm MacCarthaigh colm at allcosts.net
Wed Jan 16 02:07:57 GMT 2008 

On Wed, Jan 16, 2008 at 12:56:30AM +0000, Gareth Eason wrote:
> [host]-----[router]-----[firewall]=====[evil_net]===[www_host]
> 
> ~     -----  = very slow connection
> ~     =====  = very fast connection
> 
> 	Let's use the example where 'host' initiates a web connection and 
> 	gets a response on port 1666. Also, the responding host decides to flood on
> port 1667. (No, I don't know why - but let's say it does.)

What if the responding host decided to flood on port 1666? 

> 	In that case, to protect the network of slow connections behind the
> firewall, a stateful firewall is (possibly) the appropriate solution.
> Waiting for the state machine in the 'host' to discard useless (possibly
> DoS) packets is too late, whereas the firewall has the knowledge to do
> this at the edge.

In the real world this almost never arises though, LANs typically have
greater bandwidth than the external connectivity from a firewall.

> 	So, there is a place for stateful inspection and firewalls operating 
> 	in
> that mode. Protection at the edge of a network is often deployed to
> protect the network, not just the hosts. Unless the edge router
> omnipotently knows all legal activities of the hosts behind it at all
> times, it can be shown that it cannot protect the network in all cases
> without gathering and acting on some kind of state.

Far more important though is a real cost/benefit analysis. Stateful
packeting inspecting firewalls do have some benefits - though they are
generally both overstated and marginal - but they also come at
tremendous cost. Unless you want a SPOF in your network, you have to
figure out failover, state synchronisation (which neccessarily increases
latency) and managing the devices competently.

Sure, if you're protecting the payment system for an online bookmaker,
go to town on it, covering your ass even marginally more is worth every
cent, even if it's mostly for the benefit of the ignorant. But in
general, the things are snakeoil.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp at stdlib.net

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell