Creeva's World 2.0 » SGS http://creeva.com My life unfolding and being told online - 1 byte of information at a time. Thu, 09 Feb 2012 18:30:38 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Web Wandering Dump http://creeva.com/2007/11/10/web-wandering-dump-52/ http://creeva.com/2007/11/10/web-wandering-dump-52/#comments Sat, 10 Nov 2007 09:37:00 +0000 Creeva http://creeva.com/?p=557 h1 a:hover {background-color:#888;color:#fff ! important;} div#emailbody table#itemcontentlist tr td div ul { list-style-type:square; padding-left:1em; } div#emailbody table#itemcontentlist tr td div blockquote { padding-left:6px; border-left: 6px solid #dadada; margin-left:1em; } div#emailbody table#itemcontentlist tr td div li { margin-bottom:1em; margin-left:1em; } table#itemcontentlist tr td a:link, table#itemcontentlist tr td a:visited, table#itemcontentlist tr td a:active { color:#666666; font-weight:bold; text-decoration:none; } img {border:none;}

Web Wandering Dump

Link to Daily Web Wandering Dump

via www.blogto.com

Posted: 09 Nov 2007 03:18 PM CST

star-wars-series.jpg (JPEG Image, 1440×982 pixels)

Posted: 09 Nov 2007 02:38 PM CST

I command you: open! (via Vox Sciurorum)

Posted: 09 Nov 2007 02:35 PM CST

You’ll let me in, won’t you? (via Vox Sciurorum)

Posted: 09 Nov 2007 02:35 PM CST

Broken Camera – a photoset on Flickr

Posted: 09 Nov 2007 02:32 PM CST

Designer Creates Infoporn of His Life [Digg]

Posted: 09 Nov 2007 02:19 PM CST

The Feltron 2006 Annual Report is a visual glimpse at what Nicholas Felton has done in the past year, and in essence who he is. It’s XXX infoporn for all us data geeks.

via blog.wired.com

Posted: 09 Nov 2007 02:11 PM CST

via cache.consumerist.com

Posted: 09 Nov 2007 02:05 PM CST

Top 5 Freeware Security Tools [Digg]

Posted: 09 Nov 2007 01:33 PM CST

Ever wondered what are the best free security tools that most people use? Check out this article giving description and download links for the top 5 freeware security tools ever.

Bush Administration Plans To Classify Passenger Data [Digg]

Posted: 09 Nov 2007 01:23 PM CST

The Bush administration said yesterday that it probably would keep secret many documents requested by a privacy group about the negotiations between the United States and European officials concerning the sharing of airline passenger data.

via icanhascheezburger.files.wordpress.com

Posted: 09 Nov 2007 07:51 AM CST

Kucinich Unflappable As Media Tries To Spin Impeachment [Digg]

Posted: 08 Nov 2007 11:04 PM CST

As the media did their best Tuesday to ignore Dennis Kucinich’s push to bring the impeachment of Dick Cheney to a vote (CNN didn’t even have a story accesible on their website), they opted to go on the offensive yesterday. But, watch and enjoy as Dennis Kucinich shuts down Harry and Tucker!

The Evolution of Apple from 1976 through 2007 [Digg]

Posted: 08 Nov 2007 05:40 PM CST

Wow technology has come a long way…

14 Year Old Punk Kid Jumps in Front of Incoming Train to Save Man [Digg]

Posted: 08 Nov 2007 04:56 PM CST

Mark O’Dwyer owes his life to Julian Shaw, a 14-year-old punk rocker. The 54-year-old was waiting at Lisarow train station when he fainted and toppled two metres from the platform onto the tracks below, as a freight train bore down on the station. Julian jumped down into the tracks and moved hin to the edge with the train a couple of metres away.

Officially Cool: The Entire Star Wars Saga in One Picture (PIC) [Digg]

Posted: 08 Nov 2007 04:11 PM CST

With the saga complete and the book pretty much closed for Star Wars movies, the following photo is a pretty good display of the entire saga. In fact, if they ever wrote a “Star Wars for Dummies” book, this could serve as page one. Enjoy.

Surfing goes much secure with Anonymous Surfing. [Digg]

Posted: 08 Nov 2007 03:23 PM CST

Well, “Anonymizer’s” have worked hard to find a way for better and secure surfing, they now have made a software named “Anonymous Surfing” for it.

]]> http://creeva.com/2007/11/10/web-wandering-dump-52/feed/ 0 Symantec Enterprise Firewall – Solutions Guide for Load Balanced NAT Issues http://creeva.com/2005/06/27/symantec-enterprise-firewall-solutions-guide-for-load-balanced-nat-issues/ http://creeva.com/2005/06/27/symantec-enterprise-firewall-solutions-guide-for-load-balanced-nat-issues/#comments Mon, 27 Jun 2005 17:46:19 +0000 Creeva http://creeva.com/?p=2686 <!– /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:”"; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:”Times New Roman”; mso-fareast-font-family:”Times New Roman”;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} /* List Definitions */ @list l0 {mso-list-id:572855412; mso-list-type:hybrid; mso-list-template-ids:-1186181492 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l0:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} @list l1 {mso-list-id:1128162760; mso-list-type:hybrid; mso-list-template-ids:-592835512 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l1:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} @list l2 {mso-list-id:1157769049; mso-list-type:hybrid; mso-list-template-ids:1523214700 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l2:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} @list l3 {mso-list-id:1258293677; mso-list-type:hybrid; mso-list-template-ids:-1536103412 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l3:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} @list l4 {mso-list-id:1437094087; mso-list-type:hybrid; mso-list-template-ids:1230905382 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l4:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} @list l5 {mso-list-id:1599633008; mso-list-type:hybrid; mso-list-template-ids:-493076830 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l5:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} @list l6 {mso-list-id:1631399832; mso-list-type:hybrid; mso-list-template-ids:417990644 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l6:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} @list l7 {mso-list-id:1964076882; mso-list-type:hybrid; mso-list-template-ids:-135861800 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l7:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} –>

I wrote this document for a customer back in 2005 when I was a Symantec Consultant – posting it from 2008 in the right time period.

Solutions Guide for Load Balanced NAT Issues

These are solutions to possible load balancing issue you may encounter with the Symantec Firewall load balancing methods. The assumption is problems you would encounter going from an internal network to an Internet host or network. These problems also rarely occur and are usually an issue depending on the security of the remote host.

Scenario: Multiple TCP connections on the same port leaving with different outside NAT addresses causes the remote server to reject the connection.

Example: HTTPS connections that do not use a client side cookie.

Solutions:

  1. We can use stateful failover for the TCP traffic and all traffic would leave as the VIP address. The downside is some increased load on all the firewalls in the cluster.
  2. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  3. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  4. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  5. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  6. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  7. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.


Scenario: A connection that requires multiple TCP destination ports.

Example: Passive mode FTP (which the FTP daemon can handle this without modification; lack of a more common protocol as an example is not immediately available.)

Solutions:

  1. We can use stateful failover for the TCP traffic and all traffic would leave as the VIP address. The downside is some increased load on all the firewalls in the cluster.
  2. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  3. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  4. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  5. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  6. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  7. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: A mixture of UDP and TCP traffic.

Example: This is usually seen in custom applications such as streaming media where the connection starts on TCP and migrates over to UDP for media delivery.

Solutions:

  1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: TCP and IP traffic mixture.

Example: Microsoft’s PPTP VPN. This product uses port 1723 TCP and IP type 47 to pass traffic.

Solutions:

  1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.


Scenario: UDP connections using multiple ports

Example: No known examples available for reference.

Solutions:

  1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: UDP and IP traffic mixture.

Example: This traffic would mostly be associated with IPSEC VPN traffic.

Solutions:

  1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: Multiple IP types only connections.

Example: No known examples available for reference.

Solutions:

  1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.


Scenario: A connection using TCP, UDP, and IP types all in conjunction.

Example: Older VPN connections that did not adhere to the IPSEC standard.

Solutions:

  1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.
]]> http://creeva.com/2005/06/27/symantec-enterprise-firewall-solutions-guide-for-load-balanced-nat-issues/feed/ 0