Discussion:
Connection contains real IP of NATed address
Albert Wu
2008-07-17 11:43:35 UTC
Permalink
Hi all,

One error msg from NOKIA firewall, the environment is as below,
IPSO:3.8.1 build 038
CP: R55p HFA06
Mode: VRRP HA

Error msg:
Message_info:Connection contains real IP of NATed address

Need your help, thanks.
--
Best Regards,
Albert
Hugo van der Kooij
2008-07-17 18:48:16 UTC
Permalink
Albert Wu wrote:
| One error msg from NOKIA firewall, the environment is as below,
| IPSO:3.8.1 build 038
| CP: R55p HFA06
| Mode: VRRP HA

This information looks ok.

| Error msg:
| Message_info:Connection contains real IP of NATed address

But the issue here is that the log details are missing. It's just a info
field hanging around with no context. What do you expect from people if
you do not provide any relevant details like the exact log line and some
information about your security and NAT rules that apply?

Hugo.

- --
***@vanderkooij.org http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc

A: Yes.
Q: Are you sure?
A: Because it reverses the logical flow of conversation.
Q: Why is top posting frowned upon?
Bored? Click on http://spamornot.org/ and rate those images.
Leif Sawyer
2008-07-17 19:09:43 UTC
Permalink
Has anybody done any work with IPv6 on their enforcement modules,
especially as a parallel/overlay with an existing IPv4 network.

I'm looking for any sort of information, from initial turn-up
to management of networks and nodes.

Trying to get a base-line of how much effort is involved, and what
sort of issues I'll be seeing when I do begin the turn-up.


Thanks.
Hugo van der Kooij
2008-07-19 06:37:57 UTC
Permalink
Leif Sawyer wrote:
| Has anybody done any work with IPv6 on their enforcement modules,
| especially as a parallel/overlay with an existing IPv4 network.

I have not yet had permision to start on this project myself. So IPv6 is
restricted to our test lab for the moment.

If my customers are kind enough not to create new problems I might get
some quality lab time to work on this.

My main concern at the moment is that IPv6 support is still lacking in
major components.

~From a security standpoint one should be aware that there is no NAT.
Lot's of people considere NAT to be part of their protection. The impact
on the home market in this regard will be the largest but even major
corporations depend on NAT as part of their security strategy.

Hugo.

- --
***@vanderkooij.org http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc

A: Yes.
Q: Are you sure?
A: Because it reverses the logical flow of conversation.
Q: Why is top posting frowned upon?
Bored? Click on http://spamornot.org/ and rate those images.
Brett Lymn
2008-07-21 12:29:57 UTC
Permalink
Post by Hugo van der Kooij
~From a security standpoint one should be aware that there is no NAT.
Lot's of people considere NAT to be part of their protection. The impact
on the home market in this regard will be the largest but even major
corporations depend on NAT as part of their security strategy.
So, the first thing is to educate people that NAT is not a firewall
like seafood extender is not lobster. It may appear the same and
have some of the same properties but they just are not the same thing.
--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited. If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility. It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."
Donald Stahl
2008-07-21 14:42:52 UTC
Permalink
Post by Brett Lymn
Post by Hugo van der Kooij
on the home market in this regard will be the largest but even major
corporations depend on NAT as part of their security strategy.
No corporation depends on NAT for security. NAT is often written into
security requirements by idiotic security people (I've certainly met
enough of them), but that doesn't give you any security. If you set up 1-1
NAT's all over the place, with no firewall or ACL's, then you have
implemented NAT, but you still have absolutely no security.
Post by Brett Lymn
So, the first thing is to educate people that NAT is not a firewall
like seafood extender is not lobster. It may appear the same and
have some of the same properties but they just are not the same thing.
Just to clarify-

Static NAT offers no security at all. PAT (Port Address Translation or
Dynamic NAT) is only secure because in order to implement it, you must
first implement a stateful inspection system to track the connections. The
security in PAT comes from the stateful inspection, not from the fact that
you've implemented NAT.

Any home router implementing a stateful firewall will be as secure as a
NAT device. (Let's not argue minor differences- NAT devices inherently
fail closed, but so can any well written SI firewall, and you don't have
extra code for donig NAT which can reduce complexity and possible bugs.)

-Don
Post by Brett Lymn
--
Brett Lymn
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited. If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility. It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."
_______________________________________________
fw1-gurus mailing list
http://lists.lists.phoneboy.com/mailman/listinfo/fw1-gurus
Loading...