Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Physical Firewalls VS NAT

From: "Chad Butler" <chad.butler () ipaymybills com>
Date: Wed, 30 Oct 2002 13:58:42 -0500
I think the best advice in this type of situation is that which has been
given to me before.  The more granular the filtering, the better.  I
would think it would come down to what type of network the client is
trying to protect.  If it is one in which the risk of network compromise
is acceptable, then something like a filtering router or stateful packet
filtering firewall might be fine.  However, if a network compromise
would bring the particular client to their knees, you might want to look
at something a little more robust like an application proxy.  Just in
case you don't know the difference between the options I just mentioned,
a stateful packet filter firewall provides slightly more security than
an IP filtering/port blocking device in that it is aware of what packet
behavior and communication conditions should look like.  It is in the
event of attacks against web applications, for instance, when the
traffic is behaving as normal with attack instructions embedded inside,
that the application proxy comes into play.  It can often drop
connections based on anomalies in the application layer of the TCP/IP
stack.  An example of the application proxy device is Raptor firewall.
It provides port blocking/IP filtering tasks, redirects for public to
private addresses, NAT, spoofed responses to attack attempts, etc.  I
hope this helps.

Chad Butler
Security Administrator
GSEC
iPay, LLC
866-851-4729 ext. 240


-----Original Message-----
From: Rick Darsey [mailto:rdarsey () aims1 com] 
Sent: Wednesday, October 30, 2002 10:10 AM
To: Security Basics
Subject: Physical Firewalls VS NAT




I am not sure if this is the right list for this question. If it is not,
please let me know where to post it.

I am doing some research for one of my clients.  They have requested a
physical firewall installed on their network.  They are already running
a NAT'ed network behind a LinkSYS router.

In this situation, what benifits, if any, will the physical firewall
provide?  The LinkSYS router already does port filtering and forwarding,
and blocks incoming WAN requests.  This is my understanding of what a
firewall does.  Granted, the firewall will be more granular, but is it
necessary, or just redundant?


Thanks

Rick Darsey
AIMS, Inc.
Previous By Date Next
Previous By Thread Next

Current thread: