Re: NAT vs. True Firewalls
From: William Stacey (staceyw@ameritech.net)Date: 03/07/02
- Next message: Tom G.: "Re: New firewall support group"
- Previous message: Fao, Sean: "Re: NAT vs. True Firewalls"
- In reply to: Jamie Beverly: "Re: NAT vs. True Firewalls"
- Next in thread: Kevin Davisł: "Re: NAT vs. True Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "William Stacey" <staceyw@ameritech.net> Date: Wed, 6 Mar 2002 21:22:20 -0500
Funny, I just had this discussion on a UNIX ng. In my view, a Firewall does
not just mean packet filter. A firewall can be made up of one or more
components that can block or filter protocol traffic between two networks.
OReilly's "Building Internet Firewalls" says a firewall is "A component or
set of components that restricts access between a protected network and the
Internet." So a NAT can be as much part of a firewall implementation as the
packet filter. By this definition, a firewall can contain either a packet
filter or NAT or both (or other current or future component.)
I think the confusion is what type of NAT are we talking about - simple NAT
or NAT with stateful inspection? More UNIX people think of NAT in terms of
a simple NAT on a router. Most Windows people are familiar with stateful
NATs such as the one in w2k's RRAS and Winroute, etc. Both of these
products, for example, are secure. By default they will not allow any
traffic to flow passed the NAT router unless you define a port map to allow
it. IMO, they do protect the LAN behind them. How do they not? Any
examples? Specific weaknesses in an implementation (I don't know of any in
winroute's or RRAS NAT off top of my head, but I am sure they exist) is
different. However the concept is as strong as you can get.
They do not, however, provide any filtering or protection for the public
interface/IP they are NATing. For this, you will still need a packet
filter/firewall. So when you say "a NAT has nothing to do with security but
exists to provide more IP addresses", I would tend to disagree with the
first part because many people are using stateful NAT for both those
reasons - security and public IP sharing. Look forward to your reply. I
would like to know if NAT with stateful inspection can be compromised as we
should all be aware of this.
Cheers!
-- William Stacey, MCSE"Jamie Beverly" <jbeverly4@comcast.net> wrote in message news:39yh8.61410$yL2.5302813@bin6.nnrp.aus1.giganews.com... > Let me start by saying that this confusion is most likely due to the > inclusion of Firewalls with Routers. It tends to make people believe that a > firewall and a router are the same thing. > NAT (Network Address Translation) is a common feature of a Router. A > Firewall can also be put on a Router, but has nothing to do with Routing. > > I think the difference between NAT and Firewall could possibly be made > clearer if we define what actually happens in both a NAT and a firewall, I > will TRY to do this in simple English > The following uses the assumption that the outside network address is > 1.2.3.4 and the internal network is 10.0.0.0. > > NAT: Routing Protocol > A packet originates from host 10.0.0.2, and is sent to its gateway (the NAT) > the NAT receives the packet, replaces the source address 10.0.0.2 with > 1.2.3.4 and sends it on its way. The server the packet is intended for > receives the packet, and thinking it came from 1.2.3.4, replies to 1.2.3.4 > (the NAT). The NAT now checks what 'session' the incoming packet is related > to, realizes it is intended for 10.0.0.2, and replaces the destination > address with 10.0.0.2, and sends on its way. > Hence, all traffic originating from within the network goes through. > Port forwarding allows connections to originate from the outside network by > sending connection attempts on a specified port to a specific computer on > the inside network, but the outside network again thinks it is talking to > the NAT (1.2.3.4). > > A Firewall: > Firewall allows rules to be specified, and allows action to be taken based > on those rules. > Rules can be simple, like: don't allow connections to these ports; slightly > more complex: don't allow communication to these ports on these specified > hosts; or very complex: Don't allow communication to these ports on these > hosts if the attempted communication contains this type of data. > Firewall configurations very greatly depending on the specific needs of an > organization. > > As you can see, both can be used in conjunction with one another, but have > nothing to do with one another in regards to how they work, or what they do. > > In regards to security, a Firewall exists to provide security, a NAT has > nothing to do with security but exists to provide more IP addresses. If you > have a NAT with no firewall, then the machines behind the NAT might as well > be on the internet directly from a security stand point. > > > "Jack Burton" <aarons@artisansw.com> wrote in message > news:3c5843e6$0$1680$724ebb72@reader2.ash.ops.us.uu.net... > > Thanks for the responses. Specifically what I am referring to is NAT > > solutions that are marketed as firewall security products such as Windows > > 2000 server NAT and Linksys (and other clone) DSL/Cable routers. I > > understand that NAT is a router function, however I am looking for an in > > depth comparison of the two. > > > > Thanks again. > > > > >
- Next message: Tom G.: "Re: New firewall support group"
- Previous message: Fao, Sean: "Re: NAT vs. True Firewalls"
- In reply to: Jamie Beverly: "Re: NAT vs. True Firewalls"
- Next in thread: Kevin Davisł: "Re: NAT vs. True Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
