Re: router firwalls?

From: NeoSadist (neosad1st_at_charter.net)
Date: 04/07/04


Date: Wed, 07 Apr 2004 11:42:21 -0600

shope wrote:

> "NeoSadist" <neosad1st@charter.net> wrote in message
> news:1077c0l4vjvo98d@corp.supernews.com...
>> RB wrote:
>>
>> > Does any router work as a hardware firewall?
>>
>> Nope. A router only does NAT (network address translation). Some people
>> classify NAT as a firewall, but it's not in my opinion. It's simply how
>> a router routes packets from external IP's (internet) to internal IP's
> (LAN).
>
> Agreed - but some routers do have a full built firewall functions (e.g. a
> cisco with firewall IOS), and since a firewall usually supports NAT as
> well, you can get firewalls that do the same job as a SOHO router (e.g. a
> cisco pix 501) - i just pick on cisco here as they are well known, and
> thats what
> i work with most.

But a router by definition doesn't need a firewall. A firewall is an
additional feature, not part of a router's job description.

>>
>> > If not, what router label do
>> > I look for to ensure the router I get will act as a firewall.
>>
>> Uh, the word "firewall" would do it for me....
>
> firewall is one of those terms which gets abused - so better to decide
> what you want and then look for the functionality rather than rely on the
> "F" word.

I know that.

>
> there are lots of blurred edges here - some firewalls use stateful packet
> inspection, some dont, others can scan for URLs and limit access, or watch
> data within a transfer with IDS style inspection to try to pick up worms
> and viruses.
>
> The key difference is that a firewall should more or less block everything
> that isnt explicitly allowed, and a router tends to allow everything that
> isnt explicitly blocked - under those rules just about every SOHO router
> isnt a firewall as they tend to allow any connection from inside to
> outside, to minimise the amount of setup needed.

Yes, they are diametrically opposed...

>>
>> >
>> > Seems I've heard of NAT routers. Is this one of the firewall routers?
>>
>> No, NAT is how they work, Router is what the object is. I'd slap someone
> if
>> they told me they had a "NAT router". I'd be like "DUH!" A router
> without
>> NAT, how would that work? lol.
>
> a bit of nit picking - NAT is usually only used for SOHO routers driving
> internet links or in a hosting centre - most enterprise networks (and most
> of the internet) is built from routers that are not configured for NAT.

I've yet to see a router without NAT, and/or use one, but then again....

>
>> Look for something that says "firewall" router. That, or find an old
>> pentium 1 with 64mb ram and 1gb hdd and put Smoothwall 2.0 Linux on it.
>> Then it will act as a router AND a firewall AND a DHCP server (and DHCP
>> is another useful thing most routers do, but is not part of the "job
>> requirements" of a router).
>>
>> --
>> Nobody wants constructive criticism. It's all we can do to put up with
>> constructive praise.

-- 
Maintainer's Motto:
        If we can't fix it, it ain't broke.


Relevant Pages

  • Re: New modem and iptables...
    ... The router performs firewall and NAT functions ... If you want to persuade me it's a modem, ... it's a router and _it_ has your public Internet address. ... It also does NAT (otherwise you couldn't have a private IP address on ...
    (Fedora)
  • Re: Would a firewall prevent Sasser worm?
    ... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
    (comp.security.misc)
  • Re: Would a firewall prevent Sasser worm?
    ... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
    (comp.security.firewalls)
  • Re: Would a firewall prevent Sasser worm?
    ... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
    (alt.computer.security)
  • Re: IP Addressing
    ... Address of the ISA server? ... firewall and router). ... On the firewall create a static NAT entry as I wrote ...
    (comp.dcom.sys.cisco)