Date: Wed, 21 Jan 2004 00:07:39 -0600 From: "Micheal Patterson" <micheal@tsgincorporated.com> To: <freebsd-questions@freebsd.org> Subject: Re: ipfw/nated stateful rules example Message-ID: <034301c3dfe4$e336c1e0$0201a8c0@dredster> References: <MIEPLLIBMLEEABPDBIEGIEGCFFAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "Micheal Patterson" <micheal@tsgincorporated.com>; <freebsd-questions@freebsd.org> Sent: Tuesday, January 20, 2004 8:18 PM Subject: RE: ipfw/nated stateful rules example > You are doing keep-state on both the Lan interface and the public > interface and it only works because the returning public packet is > being matched to stateful table entries posted by the Lan interface > keep-state rules and not the stateful table entries posted by the > external interface. Yes you are making it work, but not work > correctly. In the true security sense, this is un-secure and > invalidates the whole purpose of using keep-state rules at all. This > would never be allowed by an real firewall security professional. > > If you fell secure in using this method, be my guest. But know it's > not really providing you protection for packets inserted by an > attacker. It nullifies the benefits of keep state on the interface > facing the public internet. It's working because my fbsd box is in router mode and I don't want people to communicate with it's serial ip unless I request it. That's why there are two stateful entries. One to protect the serial and one to protect my lan. NAT sits happily in the middle. Let's take this to a more real world scenario though. You have the following: Cisco 3745 connected to a Sprint ATM circuit. Serial IP's: 62.121.1.2 Your side / 62.121.1.1 Sprint side. Cisco LAN: 10.0.0.1/30 Firewall WAN: 10.0.0.2/30 Firewall LAN: 64.1.1.1 The above is a generic dmz setup. Since this is on Sprint, the routers serial IP is not accessible either unless you specifically request it via their NOC so they can remove their default filters. I'm assuming that we're in agreement here. In this scenario, where would you put stateful? On the LAN side. Now, assume that this is a nat'd network with 128 IP's and you've got 200+ systems behind it. Cisco 2620 connected to Sprint DS1: Serial IP's: 62.121.1.2 Your side / 62.121.1.1 Sprint side Cisco LAN: 64.1.1.1 Firewall WAN w/NAT: 64.1.1.2 Firewall LAN: 192.168.1.0/24 In this scenario, you have NAT running on the firewall and doing the translations for the internal range. NAT sits on your WAN interface and does it's merry little thing. If I understand you correctly, you're saying that "Private > NAT > WAN Keep-State > World" is the accepted manner of a network security professional and is secure. Whereas what I'm doing "Private LAN Keep-State > NAT > World" is not secure and would not be accepted by a security professional? How do you figure that either method is more or less secure than the other? If stateful is breached in either method, the underlying network is compromised. Sorry, it's late and I may be missing something but I just don't see it. -- Micheal Patterson Network Administration TSG Incorporated 405-917-0600
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?034301c3dfe4$e336c1e0$0201a8c0>