 | ||
 Academic Question - DoS HIDE NAT table | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2006-12-05 | |||
| |||
 Academic Question - DoS HIDE NAT table Hi, In theory (and practice) HIDE NAT has a capacity of 50.000 connections per server. If I have a cluster with 2 nodes in load balancing (ClusterXL) do I have a HIDE NAT capacity of 100.000 connections in total? What happens when one node reaches maximum capacity? It informs the other it cannot manage more connections and everything else is handled correctly by the other node? Is there a specific protection against a denial of service that attempts to fill the HIDE NAT table of the gateway and thus render the firewall inoperable or reduce its performance? How much memory does this table and associated management processing occupy? Could the firewall have its performance severely degradated by near filling up the internal HIDE NAT table? TIA, fsanches  |
| 2006-12-06 | |||
| |||
| Re: Academic Question - DoS HIDE NAT table Tables are synchronised, so it's still 50,000 total - not 100,000. Hide NAT tables filling up are not the only ones you need to worry about - it is the connections table too. Hide NAT is usually only used outbound anyway, so you would be being attacked from the inside - is that likely? If the table is full, it won't be able to do any more NAT. If the connections table is full, it won't be able to accept new connections. Performance of existing connections won't really be impacted. You can do some stuff with network quota to limit certain sources to total numbers of connections per second. That is not a specific protection against filling the hide nat table. If you're worried about it, increase the size of the tables. It's not hard to do, and doesn't take much more memory to support say 500,000 connections. Phoneboy's book has the exact amount of memory per connection needed. It's probably in the KB's somewhere too. |
| 2006-12-06 | |||
| |||
| Re: Academic Question - DoS HIDE NAT table Thanks for the info. About being attacked from inside, according to several security companies that's where most of the problems comes from. I also happen to agree with that view, I have done some pen testing from the outside and from the inside of companies and I found most of the inside was pretty insecure. |
| 2006-12-06 | |||
| |||
| Re: Academic Question - DoS HIDE NAT table Yes I agree that attacks tend to come from the inside, but I wouldn't see it as being that sort of attack. YMMV. |
| 2006-12-13 | |||
| |||
| Re: Academic Question - DoS HIDE NAT table Quote:
1.2.3.4 going to 4.5.6.7 may be translated to 2.2.2.2:15000 1.2.3.5 going to 5.6.7.8 may also be translated to 2.2.2.2:15000 as could 1.2.3.4 going to 8.7.6.5 |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
