RE: [fw-wiz] Benefit of firewall over NAT-only 'protected' networ k

From: Monkman, Brian (bmonkman_at_icsalabs.com)
Date: 05/28/03

  • Next message: ark_at_eltex.net: "Re: [fw-wiz] What challenges are security admins facing?" 
    To: "'Hugh Blandford'" <hugh@island.net.au>, firewall-wizards@honor.icsalabs.com
Date: Wed, 28 May 2003 12:59:34 -0400

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hugh,

    While I cannot comment on all of "low-end appliance 'firewalls'" I
    can comment on the firewalls that have been certified by or are
    currently under test at ICSA Labs.

    In answer to your question asking if these firewalls provide much
    more security then NAT. The answer would be a categorical yes. If you
    review the criteria we test firewalls against - found at
    http://www.icsalabs.com/html/communities/firewalls/certification/crite
    ria/criteria_4.0.shtml - you will note that we subject all firewall
    products submitted to ICSA Labs to a series of stringent security
    related tests (see Baseline Module - Security Testing) among other
    tests. Examples of *some* of the things we test are - FTP
    vulnerabilities, filtering of uncommon IP protocols, fragmentation
    handling, and replay attacks.

    Since we introduced version 4.0 of the Modular Firewall Criteria a
    year ago a number of vendors that manufacture products that fit your
    description have either been granted certification or are currently
    under test here at ICSA Labs. For the list of products that are
    currently certified go to:
    http://www.icsalabs.com/html/communities/firewalls/newsite/cert.shtml

    Our philosophy is that all firewalls should possess common security
    characteristics in order to be called firewalls and to be granted
    ICSA Labs Firewall Certification. Those requirements are captured in
    the Baseline module of the criteria.

    I could go on here but I would probably be moving into marketing
    territory - which is not my intent. If you have any other questions
    please feel free to contact me either on list or off - as you feel is
    appropriate.

    Best regards,

    Brian Monkman
    Firewall Programs Manager
    ICSA Labs
    1000 Bent Creek Blvd., Suite 200
    Mechanicsburg PA 17050
    Phone:717.790.8141 Fax:717.790.8170
    E-mail: bmonkman@icsalabs.com
    AIM: bmonkman03 Web: www.icsalabs.com
    PGP Key ID: 0x7E54D5CD

    > -----Original Message-----
    > From: Hugh Blandford [mailto:hugh@island.net.au]
    > Sent: Tuesday, May 27, 2003 8:35 PM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] Benefit of firewall over NAT-only
    > 'protected' network
    >
    >
    > Hi all,
    >
    > could someone explain the vulnerabilities in a network that is only
    > 'protected' via NAT. I'm thinking about very small 1-3
    > person offices or
    > SOHO/home environments connected via an ADSL router providing NAT
    > functionality.
    >
    > Please take into consideration that if they had a firewall,
    > it would be
    > setup to allow all outbound traffic and let the 'responses'
    > back in. There
    > are no static inbound port or IP translations, no servers
    > running on the
    > inside. Issues such as change control and management should
    > be ignored.
    > I'm aware that they would benefit from proxy servers etc but
    > most firewalls
    > that are purchased by these small sites don't have that
    > capability anyway.
    >
    > So any thoughts would be appreciated.
    >
    > Thanks,
    >
    > Hugh
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.1

    iQA/AwUBPtTq9aMpP5h+VNXNEQKgcwCfc+bd28GCmo3TIx9Vqkh2aJkiup0An3Ct
    3YiBCJUr/K+6EY5r0RYTRPI4
    =l/hs
    -----END PGP SIGNATURE-----
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: ark_at_eltex.net: "Re: [fw-wiz] What challenges are security admins facing?"

    Relevant Pages

    • Re: hardware firewall buying
      ... You cannot explain why identical code running on one 'certified' platform ... may or may not pass certification, and may or may not be as secure. ... certified solutions were really firewalls. ...
      (comp.security.firewalls)
    • Re: Defense in Depth
      ... What is meant by "layers" of security, is this: the entry points that must be ... Physical Layer - Physical access to the resources. ... attacks and other attacks that go after the software itself. ... "layer" in one long chain (lots of firewalls). ...
      (Security-Basics)
    • RE: Wireless Security for Home Users
      ... for most home users to create and/or manage 2 firewalls and a DMZ. ... As with most network security, ... investigate additional security features available from the WAP ...
      (Security-Basics)
    • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
      ... > 1) I don't trust MS products for security related tasks. ... firewalls running on NT? ... necessary steps to mitigate the risk and protect yourself. ... We still had six boxes hit. ...
      (Full-Disclosure)
    • RE: IDS is dead, etc
      ... Most firewall logs are just as tough to decipher as IDSs. ... Automated security analytics is a tough animal I don't care what the system. ... firewalls and IDSs, not just IDSs. ... There is no solution to these problems, therefore IDS is dead and we ...
      (Focus-IDS)