[ILUG] Somewhat OT: Dynamic vs. Static NAT?

Colm MacCarthaigh colm at allcosts.net
Wed Jan 16 02:07:57 GMT 2008 

On Wed, Jan 16, 2008 at 12:56:30AM +0000, Gareth Eason wrote:
> [host]-----[router]-----[firewall]=====[evil_net]===[www_host]
> 
> ~     -----  = very slow connection
> ~     =====  = very fast connection
> 
> 	Let's use the example where 'host' initiates a web connection and 
> 	gets a response on port 1666. Also, the responding host decides to flood on
> port 1667. (No, I don't know why - but let's say it does.)

What if the responding host decided to flood on port 1666? 

> 	In that case, to protect the network of slow connections behind the
> firewall, a stateful firewall is (possibly) the appropriate solution.
> Waiting for the state machine in the 'host' to discard useless (possibly
> DoS) packets is too late, whereas the firewall has the knowledge to do
> this at the edge.

In the real world this almost never arises though, LANs typically have
greater bandwidth than the external connectivity from a firewall.

> 	So, there is a place for stateful inspection and firewalls operating 
> 	in
> that mode. Protection at the edge of a network is often deployed to
> protect the network, not just the hosts. Unless the edge router
> omnipotently knows all legal activities of the hosts behind it at all
> times, it can be shown that it cannot protect the network in all cases
> without gathering and acting on some kind of state.

Far more important though is a real cost/benefit analysis. Stateful
packeting inspecting firewalls do have some benefits - though they are
generally both overstated and marginal - but they also come at
tremendous cost. Unless you want a SPOF in your network, you have to
figure out failover, state synchronisation (which neccessarily increases
latency) and managing the devices competently.

Sure, if you're protecting the payment system for an online bookmaker,
go to town on it, covering your ass even marginally more is worth every
cent, even if it's mostly for the benefit of the ignorant. But in
general, the things are snakeoil.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp at stdlib.net

More information about the ILUG mailing list