[Nottingham] Setting up a router at uni
Danny King
dannyking at gmail.com
Wed Aug 27 09:11:06 UTC 2008
Thanks that was very helpful guys.
> Basically, they're making sure that they're billing students for their
> net usage. They also, understandably, like to be sure of what equipment
> is connected to their network...
> NAT routers do two things - they route data packets to the correct
> machine in their slice of LAN, and silently drop (or bounce) rogue
> packets (pings, other incoming packets) which aren't accompanied by the
> correct header information for the router to know where that packet is
> going. DMZ and port forwarding rules bypass this by routing all "other"
> incoming packets (those not routed to systems on the LAN) to the DMZ,
> those directed through specific ports to specified addresses on the
> local network. Ergo, NAT routers by their nature are hardwalls.
>
> More sophisticated NAT routers can include AV, SPI (Stateful Packet
> Inspection, which is the firmware's ability to determine the protocol
> used, the source and destination IPs of each packet (thus be able to
> hold open a port for that connection), and the default behaviour of
> dropping each and every packet that does not adhere to strict
> preprogrammed filter rules - this makes an SPI-equipped router
> practically invulnerable to ICMP spoof attacks and other such packet
> flooding behaviour: at least, that's the theory. Linksys WRT54GS
> routers, for instance, were so broken in early models that [from
> experience] literally every one sold was returned faulty within days or
> even hours with the same firmware problem). More recent models of
> SPI-equipped routers are a lot more stable, and while a little more
> expensive than bog-standard routers (the £20 jobs...) they are a lot
> more secure, in every sense of the word.
--
- Danny King of Gleaming Pixel Web Design.
Email: danny at gleamingpixel.co.uk / dannyking at gmail.com
Web: www.GleamingPixel.co.uk
More information about the Nottingham
mailing list