[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: VS: IP tunnel over a NAT (IP masq) possible ?
In message <000a01bed1d8$7d31a820$390964c2@baudia.fi>, "Pekka Turunen" writes:
>
> We have studied the NAT -problem and developed a solution for it. We have
> applied a patent for this solution, which is called FireSeal. With FireSeal
> the firewall isn't required to decrypt the packets. Nevertheless the
> traffic can be fully controlled - dynamically.
>
> The FireSeal system consists of two main components. The Client component
> works as a part of the IPSec - or any other security application, inside the
> company network boundaries, whereas the server component is attached to the
> firewall. The process of controlling secured network traffic can be divided
> into three steps:
>
> 1. The client part of FireSeal sends parameters concerning the connection to
> the firewall (IP address, protocol used etc.).
>
> 2. The firewall decides if the connection is allowed (firewalls normal
> control mechanisms are used). If the connection is accepted then firewall
> sends to the client the needed parameters for the connection (i.e. the NAT
> transform parameters and a SPI number, which identifies the approved
> connection).
>
> 3. The client does the NAT transformation and sends the data. The data
> passes through the firewall if the SPI matches the ones in firewall.
>
> I.e. the firewall can use its normal policies to decide, whether or not to
> let the traffic pass through. In regard to applications needing secure
> communications, FireSeal is completely invisible.
Except, of course, that the firewall can't see into the packet to see
if the client is really abiding by the policy. For that matter, it can't
see if the remote host is really responding to client requests, or if it's
probing other ports on that host, all under the cover of that SPI.