Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network
From: Paul Robertson (proberts_at_patriot.net)
Date: 05/28/03
- Previous message: Vladimir Parkhaev: "[fw-wiz] pulling configs from pixes over ssh script"
- In reply to: Hugh Blandford: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Next in thread: Bill Royds: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Reply: Bill Royds: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Hugh Blandford <hugh@island.net.au> Date: Wed, 28 May 2003 09:31:34 -0400 (EDT)
On Wed, 28 May 2003, Hugh Blandford wrote:
> Hi Paul et al.,
>
> I recognise what you are saying, but what I was trying to understand was,
> are the low-end appliance 'firewalls' really providing much more security
> than NAT? In a small office/home situation if people are going to use IRC,
My point was that they're able to provide more security- but if you're
going to align a security policy with a NAT device, then you're giving up
a large part of the point of having a firewall. If we, as a community can
get people to use *firewalls* for *firewalling* then we'll have done both
ourselves and everyone else a better service than to say "oh, just use
anything that'll let you connect."
> they would just reconfigure their firewall to do so, after all they own it.
> I was just trying to get all the 'block xyz outbound' issues out of the way.
>
> Can NAT sessions be hijacked or somehow abused to give access to the
> internal network? There is the case of visiting a hostile website and
> "inviting in" some problematic programs, but apart from that are the
> appliance based firewalls doing more than that?
In general, NAT based things aren't written for security, they're written
for network re-mapping, so there can be things that escape the author that
a firewall author shouldn't miss (or may have tested by a 3rd party for some
level of assurance.[1])
Firewalls should handle things like source routed packets, overlapping
fragments, etc. They also may handle things like VPNs, authentication,
"enterprise" policy enforcement, etc.
Paul
[1.] Obviously, I'm highly biased about which certification program a
firewall should pass to be on the market. My employer owns ICSA Labs,
this list is hosted from there, etc.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Vladimir Parkhaev: "[fw-wiz] pulling configs from pixes over ssh script"
- In reply to: Hugh Blandford: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Next in thread: Bill Royds: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Reply: Bill Royds: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
