Re: NAT vs. True Firewalls

From: Jamie Beverly (
Date: 03/08/02

From: "Jamie Beverly" <>
Date: Fri, 08 Mar 2002 00:30:07 GMT

"William Stacey" <> wrote in message
> Funny, I just had this discussion on a UNIX ng. In my view, a Firewall
> not just mean packet filter. A firewall can be made up of one or more
> components that can block or filter protocol traffic between two networks.
> OReilly's "Building Internet Firewalls" says a firewall is "A component or
> set of components that restricts access between a protected network and
> Internet." So a NAT can be as much part of a firewall implementation as
> packet filter. By this definition, a firewall can contain either a packet
> filter or NAT or both (or other current or future component.)
> I think the confusion is what type of NAT are we talking about - simple
> or NAT with stateful inspection? More UNIX people think of NAT in terms
> a simple NAT on a router. Most Windows people are familiar with stateful
> NATs such as the one in w2k's RRAS and Winroute, etc. Both of these
> products, for example, are secure. By default they will not allow any
> traffic to flow passed the NAT router unless you define a port map to
> it. IMO, they do protect the LAN behind them. How do they not? Any
> examples? Specific weaknesses in an implementation (I don't know of any
> winroute's or RRAS NAT off top of my head, but I am sure they exist) is
> different. However the concept is as strong as you can get.

Winroute and RRAS both provide firewall functions, such as packet inspection
and filtering, hence are more than a statefull NAT.
However, to answer your question, there are two possibilities for intrusion
with a statefull nat with no packet filtering whatsoever, ignoring
vulnerabilites of the NAT itself. First, if you port-forward to any service
inside the NAT, and that service has security vulnerabilities, a NAT on its
own provides no means to disallow suspect packets. Second, and a bit more of
general concern, if a would be intruder has, or can gain, access to other
hosts on your NAT's segment, the intruder can masq (or spoof) packets to
appear to originate from within your NATs private segment. A firewall allows
you to specify rules like if a rfc1918 address comes in on the external
iface, drop it on the floor.

> They do not, however, provide any filtering or protection for the public
> interface/IP they are NATing. For this, you will still need a packet
> filter/firewall. So when you say "a NAT has nothing to do with security
> exists to provide more IP addresses", I would tend to disagree with the
> first part because many people are using stateful NAT for both those
> reasons - security and public IP sharing. Look forward to your reply. I
> would like to know if NAT with stateful inspection can be compromised as
> should all be aware of this.

I agree with your statement that many people are using NATs alone for
security. People have also been known to draw a series of circles and dots
on their arms to prevent 'kooties.' Yes a NAT with statefull inspection is
more difficult to comprimise, as it is actualy a simple firewall (statefull
inspection is a firewalling technology) but it could be easily comprimised
depending on the rule sets you define.

> Cheers!
> --
> William Stacey, MCSE

Relevant Pages

  • Re: NAT is not a mechanism for securing a network.. but.. HELP!
    ... For years I have heard people claim that NAT could be circumvented ... > packet is routed. ... but the only outside network I have access to right now ... > Firewall is a term, most people use other than it was intended. ...
  • Re: Linksys Firmware Upgrade Available
    ... WinRoutePro has NAT, portmapping and the ability to filter packets on their ... >> good enough firewall, or do I need to get one on top of WinRoute? ...
  • Re: Linksys Firmware Upgrade Available
    ... WinRoutePro has NAT, portmapping and the ability to filter packets on their ... >> good enough firewall, or do I need to get one on top of WinRoute? ...
  • [fw-wiz] Checkpoint and RTSP NAT
    ... The clients are behind a Checkpoint NGX firewall doing NAT. ... Capturing packets i saw that the NAT in the Checkpoint box is the problem. ... packet from server when de-NATing the packet: ... Did anyone knows if Checkpoint NGX can be awareness of RTSP when using NAT, ...
  • Re: 2000 server solution
    ... Maybe you should start by looking up the RFC that defines firewall. ... is more than a buzzword and includes much more than simple packet header ... programmer the company hires publishes to that server. ... what does a packet filter in front of those two servers add to the ...