Re: NAT vs. True Firewalls

From: William Stacey (
Date: 03/07/02

From: "William Stacey" <>
Date: Wed, 6 Mar 2002 21:22:20 -0500

Funny, I just had this discussion on a UNIX ng. In my view, a Firewall does
not just mean packet filter. A firewall can be made up of one or more
components that can block or filter protocol traffic between two networks.
OReilly's "Building Internet Firewalls" says a firewall is "A component or
set of components that restricts access between a protected network and the
Internet." So a NAT can be as much part of a firewall implementation as the
packet filter. By this definition, a firewall can contain either a packet
filter or NAT or both (or other current or future component.)

I think the confusion is what type of NAT are we talking about - simple NAT
or NAT with stateful inspection? More UNIX people think of NAT in terms of
a simple NAT on a router. Most Windows people are familiar with stateful
NATs such as the one in w2k's RRAS and Winroute, etc. Both of these
products, for example, are secure. By default they will not allow any
traffic to flow passed the NAT router unless you define a port map to allow
it. IMO, they do protect the LAN behind them. How do they not? Any
examples? Specific weaknesses in an implementation (I don't know of any in
winroute's or RRAS NAT off top of my head, but I am sure they exist) is
different. However the concept is as strong as you can get.

They do not, however, provide any filtering or protection for the public
interface/IP they are NATing. For this, you will still need a packet
filter/firewall. So when you say "a NAT has nothing to do with security but
exists to provide more IP addresses", I would tend to disagree with the
first part because many people are using stateful NAT for both those
reasons - security and public IP sharing. Look forward to your reply. I
would like to know if NAT with stateful inspection can be compromised as we
should all be aware of this.


William Stacey, MCSE

"Jamie Beverly" <> wrote in message news:39yh8.61410$ > Let me start by saying that this confusion is most likely due to the > inclusion of Firewalls with Routers. It tends to make people believe that a > firewall and a router are the same thing. > NAT (Network Address Translation) is a common feature of a Router. A > Firewall can also be put on a Router, but has nothing to do with Routing. > > I think the difference between NAT and Firewall could possibly be made > clearer if we define what actually happens in both a NAT and a firewall, I > will TRY to do this in simple English > The following uses the assumption that the outside network address is > and the internal network is > > NAT: Routing Protocol > A packet originates from host, and is sent to its gateway (the NAT) > the NAT receives the packet, replaces the source address with > and sends it on its way. The server the packet is intended for > receives the packet, and thinking it came from, replies to > (the NAT). The NAT now checks what 'session' the incoming packet is related > to, realizes it is intended for, and replaces the destination > address with, and sends on its way. > Hence, all traffic originating from within the network goes through. > Port forwarding allows connections to originate from the outside network by > sending connection attempts on a specified port to a specific computer on > the inside network, but the outside network again thinks it is talking to > the NAT ( > > A Firewall: > Firewall allows rules to be specified, and allows action to be taken based > on those rules. > Rules can be simple, like: don't allow connections to these ports; slightly > more complex: don't allow communication to these ports on these specified > hosts; or very complex: Don't allow communication to these ports on these > hosts if the attempted communication contains this type of data. > Firewall configurations very greatly depending on the specific needs of an > organization. > > As you can see, both can be used in conjunction with one another, but have > nothing to do with one another in regards to how they work, or what they do. > > In regards to security, a Firewall exists to provide security, a NAT has > nothing to do with security but exists to provide more IP addresses. If you > have a NAT with no firewall, then the machines behind the NAT might as well > be on the internet directly from a security stand point. > > > "Jack Burton" <> wrote in message > news:3c5843e6$0$1680$ > > Thanks for the responses. Specifically what I am referring to is NAT > > solutions that are marketed as firewall security products such as Windows > > 2000 server NAT and Linksys (and other clone) DSL/Cable routers. I > > understand that NAT is a router function, however I am looking for an in > > depth comparison of the two. > > > > Thanks again. > > > > >

Relevant Pages

  • Re: NAT is not a mechanism for securing a network.. but.. HELP!
    ... For years I have heard people claim that NAT could be circumvented ... > packet is routed. ... but the only outside network I have access to right now ... > Firewall is a term, most people use other than it was intended. ...
  • Re: Linksys Firmware Upgrade Available
    ... WinRoutePro has NAT, portmapping and the ability to filter packets on their ... >> good enough firewall, or do I need to get one on top of WinRoute? ...
  • Re: Linksys Firmware Upgrade Available
    ... WinRoutePro has NAT, portmapping and the ability to filter packets on their ... >> good enough firewall, or do I need to get one on top of WinRoute? ...
  • [fw-wiz] Checkpoint and RTSP NAT
    ... The clients are behind a Checkpoint NGX firewall doing NAT. ... Capturing packets i saw that the NAT in the Checkpoint box is the problem. ... packet from server when de-NATing the packet: ... Did anyone knows if Checkpoint NGX can be awareness of RTSP when using NAT, ...
  • Re: 2000 server solution
    ... Maybe you should start by looking up the RFC that defines firewall. ... is more than a buzzword and includes much more than simple packet header ... programmer the company hires publishes to that server. ... what does a packet filter in front of those two servers add to the ...