Re: D-Link 604 Router
From: Leythos (void_at_nowhere.com)
Date: 06/22/04
- Next message: Beoweolf: "Re: Zonelabs lost this customer forever!"
- Previous message: Mike: "Re: IP Security Policy was: Re: Simple software firewalls for Windows 2000 Server"
- Maybe in reply to: Roy: "D-Link 604 Router"
- Next in thread: *Vanguard*: "Re: D-Link 604 Router"
- Reply:(deleted message) *Vanguard*: "Re: D-Link 604 Router"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Jun 2004 13:39:56 GMT
In article <8tadneoFTcK9Lkrd4p2dnA@comcast.com>, reply-to-newsgroup@do-
not-email.invalid says...
[snip]
> I can filter outbound connections using URL filtering using something
> like a proxy, say PC Magazine's CookieCop, which is obviously not a
> firewall and also obviously nothing to do with NAT. Not having any
> firewall software or hardware and no router, and just connecting the NIC
> directly to the cable modem, also would not filter outbound traffic and
> obviously NAT isn't even used in this scenario. Filtering
> outbound/inbound traffic, or the lack of it, has nothing to do with NAT.
You've said two things here - filtering outbound traffic and NAT. The
URL filter does nothing to "filter" web connection, only block access
based on URL - I specifically stated that many firewalls allow you to
remove host information, active-x, java scripting, files by extension
from the HTTP experience - many of them also block by content "type"
based on categories and include start/stop block times. The URL filter,
while blocking access to a site, is nothing close to what I described -
you could duplicate that router function in your host file on the PC if
you wanted too.
You and I agree on the last sentence - filtering has nothing to do with
NAT. Filtering has to do with applying rule sets to the traffic type
that the rule is defined for. URL Filter doesn't do anything to the
traffic, it blocks access before the traffic leaves the router, it does
not "filter" the traffic.
Now, as for routers that employ NAT, they do in a sense "filter"
traffic, they, if properly designed, only permit the destination address
from communicating with the source address over the requesting IP/port
so that another address can not communicate with the same IP/port
without being solicited by the source. No, this is not a firewall type,
it's how NAT works in a 1:X setting. This means that unless the source
IP requests something from an external IP that the external IP can not
get inside the network.
> http://snipurl.com/78us. Actually you and I may be in vehement
> agreement that NAT does no filtering but have simply stated it
> differently.
I think you are right :)
> Lacking the detection of unauthorized outbound connections is not just a
> property of NAT routers. Windows XP's firewall doesn't check nor
> restrict outbound connections, even from spyware, but is still
> considered a firewall. Neither does BlackIce block outbound
> connections. Not restricting outbound connections (which are not
> initiated by permitted inbound connections) does not disqualify a
> product as a firewall.
This is where we're going to disagree - I don't feel, by definition,
that ICF, NAT (by itself), nor anything that doesn't block outbound
connections, is considered a firewall. For a firewall, in real world
practice, to work, it has to block connections in both directions until
rules are enabled/added to permit communications or has the ability to
block inbound/outbound connections based on type once rules are created.
Anything less is not a firewall, it's just a router/port filter. Since I
know that some routers provide "private port ranges" I should also point
out that I don't consider those functions to quality as a firewall
either. Most of those routers provide a limited amount of "private" port
definition space and can't block all outbound ports.
As for BID, it started as an IDS, not a firewall, I've used it for IDS,
but will never use it for a firewall setting. Unless the completely re-
write it, with a different team, and call it something else, it will
always be a IDS with some additional features. There was a real big
stink about BID trying to become a firewall a long time ago, when they
were not really a firewall - more marketing hype.
> I'm pretty sure every firewall product could be
> configured to permit fully unrestricted and unfiltered outbound traffic.
> Yes, the DFL-300 has a better firewall than does the DI-604, but this
> does NOT mean the DI-604 has no firewall. Just because 200-pound
> watermelons exist does not mean all the 20-pound watermelons are no
> longer watermelons.
I think we sort of agree on most of what I snipped above, but on this
part, we're not going to agree. You see, I don't care if they've watered
down the definition to make their products appear to qualify as
firewalls. The definition for what a firewall is was around LONG before
the marketing types started calling their routers with NAT firewalls. In
fact, when the routers with NAT first came out they were called Cable
Modem Routers and then about a year later, with no changes to features,
they started calling the same units Firewalls.
> > Now you know why I brought up the difference between NAT devices and
> > Firewalls.
>
> I wonder how long ago we lost Roy, the OP. ;->
I hope we've not lost him, or anyone else at all. It's very important
that people understand what a firewall is, not what some marketing types
are calling firewalls today. I could call a bicycle with 12 speeds a
fast transportation device, but that doesn't make it a car, which is
also a fast transportation device - the bike has a subset of features
and not the full functionality of the later.
I'm going to stick with my firewall definition, it's what keeps my
customers safe from intruders. The products I use have additional
features that act as great barriers to things like email viruses,
malicious HTTP sites, and also provide content filtering where asked
based on any combination of content that a company could want.
I could not install a Router/NAT device in a medical center and feel
secure, so, why would I feel secure about using it in my neighbors home?
On the counter point, routers with NAT (and some pretty whistles) make
great home user protection devices since most home users can't afford a
firewall device (and don't know how to properly configure firewall
software on their computers). While the protection is limited to
blocking inbound connections, it's often enough to keep the computer
from directly being compromised by an external person/attack aimed at
the public address assigned to the user. While this does nothing for
HTTP/SMTP, it does provide the user with the ability to get on the
internet, not get hacked why downloading the Windows Updates,
downloading the Norton AV updates, and getting other security updates
BEFORE they start playing on the net.
Don't get me wrong, I would never let a user rely on something running
on their computer (self configured / user configurable) to protect their
system, the router with NAT is the "First" line of defense, and is only
a part of the plan, but it's a vital part for SOHO/Home users that can't
afford a real firewall device.
-- -- spamfree999@rrohio.com (Remove 999 to reply to me)
- Next message: Beoweolf: "Re: Zonelabs lost this customer forever!"
- Previous message: Mike: "Re: IP Security Policy was: Re: Simple software firewalls for Windows 2000 Server"
- Maybe in reply to: Roy: "D-Link 604 Router"
- Next in thread: *Vanguard*: "Re: D-Link 604 Router"
- Reply:(deleted message) *Vanguard*: "Re: D-Link 604 Router"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
