Re: Misconceptions

From: Leythos (void@nowhere.com)
Date: 01/14/03

Next message: Duane Arnold: "Re: XP <-> W2K Wireless Net dying - file sharing dead"
Previous message: Andy: "Re: ZoneAlarm, getting hacked a lot.."
In reply to: JR: "Misconceptions"
Next in thread: JR: "Re: Misconceptions"
Reply: JR: "Re: Misconceptions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Leythos <void@nowhere.com>
Date: Mon, 13 Jan 2003 23:17:29 GMT

In article <LnAU9.46186$L47.6959148@read2.cgocable.net>,
notlikely@nowhere.com says...
> What some contributors to this newsgroup seem to need, is a better
> understanding of the devices and technologies commonly referred to here.
>
>
>
> There seems to be some confusion on what does what. In
> comp.security.firewalls FERRANTE (Mark) recently asked "Is a router a good
> firewall?" That is akin to asking "is a bus is a good airplane". Just
> because a bus can fly off a cliff or perform a stunt as in the movie
> "Speed", does not qualify it as an airplane!
>
>
>
> True routers route traffic much like the old railroad turntables
> (http://www.railroadextra.com/roundtab.html) were used to redirect
> locomotives when there was more than one path they could take. If there are
> only two pieces of track leading to the turntable, then the routing function
> is void and simply becomes a relaying function.
>
> Routers can implement "access control lists", a rudimentary form of
> filtering, but that does not make them a "firewall".
>
>
>
> NAT can be implemented on many routers, but only on stub network (the last
> leg of a route, usually a private/office network) routers. The original
> intent for NAT (see RFC1631) was a stop gap measure to overcome the
> increasing shortage of legitimate IPs (RFC1918). The fact that internal
> private address ranges were masked from public view was a side benefit as a
> result of the translation, not an intentional security measure.
>
>
>
> Routers are NOT firewalls. Firewalls implement security policies or rules
> and work closely with routers or routing functions. Firewalls either allow
> or deny packets based on the implemented rules. Any good firewall uses SPI
> (Stateful Packet Inspection) and PAT (Port Address Translation) as opposed
> to its lesser cousin NAT.
>
> Routers do not use SPI and PAT. If they do, then they are Router/Firewalls.
>
>
>
> Routers and Firewalls do not perform any anti-virus functions. These are
> handled by (surprise, surprise) anti-virus programs, which should be on the
> individual client machines if the firewall/router/NAT functions are on a
> separate, dedicated machine (as opposed to a network consisting of one
> computer). Anti-virus programs use pre-defined virus signatures and
> heuristic methods (on the better ones).
>
>
>
> A NIDS (Network Intrusion Detection System) is just that. It can be a
> combination of programs that alerts the system of attempted intrusion. For
> example, receiving a stream of FIN packets is not normal, and is therefore
> reported by the NIDS as a possible port scan, normally the prelude to an
> attack. Although Black Ice NIDS apparently has heuristic capabilities, that
> would be an anti-viral component working in conjunction with the NIDS, but I
> am not experienced with Black Ice.
>
>
>
> This rant is not meant to insult or offend anyone, but it would be nice to
> keep facts and information somewhat correct.
>
>
>
> If anyone finds the above info incorrect, let me know, and back it up with
> VALID documentation.

I liked this post so much that I won't even snip it when I reply!

This post has hit the proverbial nail 100% on the head - and I keep
trying to say this same thing to people that insist that a router/nat
box is a firewall (it's not).

I think that you summarized everything perfectly! Congratulations - keep
up the good work.

-- 
--
Leythos999@columbus.rr.com
(Remove 999 to reply to me)

Next message: Duane Arnold: "Re: XP <-> W2K Wireless Net dying - file sharing dead"
Previous message: Andy: "Re: ZoneAlarm, getting hacked a lot.."
In reply to: JR: "Misconceptions"
Next in thread: JR: "Re: Misconceptions"
Reply: JR: "Re: Misconceptions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Misconceptions
... >> NAT can be implemented on many routers, but only on stub network (the ... usually a private/office network) routers. ... >> Routers are NOT firewalls. ... >> A NIDS is just that. ...
(comp.security.firewalls)
Re: Do I really need firewall? A newbies question
... their own firewalls and you have the major ports blocked for the IPs ... you have assigned to your computers why would there be a reason to put ... router firewalls (on routers that I can afford lol) because it can lead ... I think this leads back to the age-old debate of which is better - ...
(comp.security.firewalls)
Re: EIGRP or OSPF over WAN
... routing protocols EIGRP and OSPF so that 2 routers on different subnets ... LAN A - 172.16.116.0/22 and LAN B 172.16.120.0/22 and they ... the firewalls and these two networks are connected but the routers do ... best to use eBGP for going through firewalls and hoping across to subnets when interfaces of each end routers are on different subnets. ...
(comp.dcom.sys.cisco)
Re: IE6 wont open some sites
... Any popup blockers, firewalls, proxy servers, or routers involved? ...
(microsoft.public.windows.inetexplorer.ie6.browser)
Re: A MuahMan self-contradiction?
... I have used Anti-virus software in the past. ... With the newer routers, advanced hardware firewalls, ... Problem solved on EVERY OS for EVERY computer on your network. ...
(comp.sys.mac.advocacy)