Re: suggestions on router w/firewall
From: CZ (CZ_at_no99spam.com)
Date: 11/07/04
- Next message: Duane Arnold: "Re: Loose Internet Connection Overnight"
- Previous message: Beauregard T. Shagnasty: "Re: Loose Internet Connection Overnight"
- In reply to:(deleted message) Leythos: "Re: suggestions on router w/firewall"
- Next in thread: Leythos: "Re: suggestions on router w/firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 07 Nov 2004 03:17:03 GMT
Leythos:
***
I wrote:
> Some end user NAT-router products only have simple packet filtering (if
> even
> that) for a firewall (some have SPI, which appears to be DoS protection
> for
> the WAN port).
You wrote:
I see now, and this is where we differ, I would never make the mistake
of using NAT, even with SPI, as a firewall method. You continue to
describe standard NAT (with or without SPI) as a firewall service.
My response:
Not in my opinion.
That sentence refers to four concepts: NAT, router, simple packet filtering,
SPI.
Only simple packet filtering and SPI are generally considered to be
firewalls
***
I wrote:
> A simple packet filtering firewall can only make a forward/drop decision
> based on static rules and info in the packet headers at OSI layer 3 & 4
> (primarily IP address & port #).
You wrote:
What you are describing is not a property of a firewall, it's a property
of Port Forwarding, and while Firewalls can forward ports, port
forwarding does not make them firewalls.
My response:
Not true, and this is possibly the root of our differences: you are not
acknowledging simple packet filtering as a firewall, and as a different
concept from a NAT.
A simple packet filtering firewall can make a forward/drop decision by
comparing packet header info to static rules, and it does not change the
packet.
A NAT makes a forward/drop decision by comparing entries in a dynamically
created port table to packet header info, and NAT does change the packet.
NAT also can support port forwarding, which compares entries in a static
table to packet header info, and the packet will be changed.
Note the difference: a simple packet filter does not change the packet, NAT
always changes the packet.
***
You wrote:
"... a device that can't tell the difference between HTTP and FTP is not a
firewall."
Apparently WatchGuard disagrees with you:
From: http://www.watchguard.com/products/dynamic.asp?nav=fbiii
"Packet filtering refers to a firewall's ability to examine IP packet
headers to determine a source packet's origination or destination addresses
and the network transport service used."
My comments:
IP headers & TCP/UDP headers do not contain info re: HTTP or FTP protocols,
so no filtering decision based on the HTTP or FTP protocols is possible at
the IP & TCP/UDP header level, but that does not invalidate referring to
products that work at those levels as firewalls.
IMO, some generally accepted types of firewalls:
Application gate
Packet filters:
Stateless
Stateful
Circuit level filters
Application level filters
Proxy service
IMO, some items that are generally considered to not be firewalls:
Router
NAT
MS's ISA product, and apparently your choice of Firebox products, supports
multi-level filtering and a Web proxy. That would include all of the above
mentioned generally accepted types of firewalls, except for application
gate.
- Next message: Duane Arnold: "Re: Loose Internet Connection Overnight"
- Previous message: Beauregard T. Shagnasty: "Re: Loose Internet Connection Overnight"
- In reply to:(deleted message) Leythos: "Re: suggestions on router w/firewall"
- Next in thread: Leythos: "Re: suggestions on router w/firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
