Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network

From: Paul Robertson (
Date: 05/28/03

  • Next message: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
    To: Hugh Blandford <>
    Date: Wed, 28 May 2003 09:31:34 -0400 (EDT)

    On Wed, 28 May 2003, Hugh Blandford wrote:

    > Hi Paul et al.,
    > I recognise what you are saying, but what I was trying to understand was,
    > are the low-end appliance 'firewalls' really providing much more security
    > than NAT? In a small office/home situation if people are going to use IRC,

    My point was that they're able to provide more security- but if you're
    going to align a security policy with a NAT device, then you're giving up
    a large part of the point of having a firewall. If we, as a community can
    get people to use *firewalls* for *firewalling* then we'll have done both
    ourselves and everyone else a better service than to say "oh, just use
    anything that'll let you connect."

    > they would just reconfigure their firewall to do so, after all they own it.
    > I was just trying to get all the 'block xyz outbound' issues out of the way.
    > Can NAT sessions be hijacked or somehow abused to give access to the
    > internal network? There is the case of visiting a hostile website and
    > "inviting in" some problematic programs, but apart from that are the
    > appliance based firewalls doing more than that?

    In general, NAT based things aren't written for security, they're written
    for network re-mapping, so there can be things that escape the author that
    a firewall author shouldn't miss (or may have tested by a 3rd party for some
    level of assurance.[1])

    Firewalls should handle things like source routed packets, overlapping
    fragments, etc. They also may handle things like VPNs, authentication,
    "enterprise" policy enforcement, etc.

    [1.] Obviously, I'm highly biased about which certification program a
    firewall should pass to be on the market. My employer owns ICSA Labs,
    this list is hosted from there, etc.
    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation

    firewall-wizards mailing list

  • Next message: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"

    Relevant Pages

    • Re: Just want to keep the crap out!!
      ... hardware NAT. ... Yes, because NAT is not a security feature, and never was intended for ... Old ladies in your neighborhood are not intended as a security ... I've monitored production firewalls for class B and class C networks ...
    • Re: Linksys hardware firewall enough...?
      ... Most of us know that ROUTING is part of NAT and has ... > nothing to do with firewalls. ... firewall provides routing, NAT, and packet filtering. ... > them that the devices marketed as firewalls, that are only NAT Routers ...
    • Re: Is source address selection based on rules (netfilter) possible ?
      ... NAT on v6 is really stupid ... NAT and firewalls have nothing to do with each other. ... NAT of various sorts can be used for other purposes than security ... or to allow multiple computers to connect to the internet via one IP ...
    • Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?
      ... >The whole reason NAT was implemented was because of a very finite number of publicly routable IP addresses. ... The first firewalls I built offered NAT (inherent in the design and then later via ... "Proxy transparency" in Gauntlet) because a lot of the early firewall customers ... re-address their network or NAT ...
    • Re: NAT is not a mechanism for securing a network.. but.. HELP!
      ... >> one of their firewalls). ... >> But there was one claim that sounded like a serious problem for NAT ... >> device opens a port by putting it in the NAT table, ... way into the network? ...