Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network
From: Paul Robertson (proberts_at_patriot.net)
To: Hugh Blandford <email@example.com> Date: Wed, 28 May 2003 09:31:34 -0400 (EDT)
On Wed, 28 May 2003, Hugh Blandford wrote:
> Hi Paul et al.,
> I recognise what you are saying, but what I was trying to understand was,
> are the low-end appliance 'firewalls' really providing much more security
> than NAT? In a small office/home situation if people are going to use IRC,
My point was that they're able to provide more security- but if you're
going to align a security policy with a NAT device, then you're giving up
a large part of the point of having a firewall. If we, as a community can
get people to use *firewalls* for *firewalling* then we'll have done both
ourselves and everyone else a better service than to say "oh, just use
anything that'll let you connect."
> they would just reconfigure their firewall to do so, after all they own it.
> I was just trying to get all the 'block xyz outbound' issues out of the way.
> Can NAT sessions be hijacked or somehow abused to give access to the
> internal network? There is the case of visiting a hostile website and
> "inviting in" some problematic programs, but apart from that are the
> appliance based firewalls doing more than that?
In general, NAT based things aren't written for security, they're written
for network re-mapping, so there can be things that escape the author that
a firewall author shouldn't miss (or may have tested by a 3rd party for some
level of assurance.)
Firewalls should handle things like source routed packets, overlapping
fragments, etc. They also may handle things like VPNs, authentication,
"enterprise" policy enforcement, etc.
[1.] Obviously, I'm highly biased about which certification program a
firewall should pass to be on the market. My employer owns ICSA Labs,
this list is hosted from there, etc.
Paul D. Robertson "My statements in this message are personal opinions
firstname.lastname@example.org which may have no basis whatsoever in fact."
email@example.com Director of Risk Assessment TruSecure Corporation
firewall-wizards mailing list