Security Basics mailing list archives

Re: Physical Firewalls VS NAT

From: "Chris Berry" <compjma () hotmail com>
Date: Wed, 30 Oct 2002 13:58:18 -0800

From: "Rick Darsey" <rdarsey () aims1 com>
I am doing some research for one of my clients.  They have requested a
physical firewall installed on their network. They are already >running aNAT'ed network behind a LinkSYS router.
In this situation, what benifits, if any, will the physical firewall
provide? The LinkSYS router already does port filtering and >forwarding,and blocks incoming WAN requests. This is myunderstanding of what a firewall does. Granted, the firewall will be >moregranular, but is it necessary, or just redundant?

Can't stress this strongly enough, A ROUTER IS NOT A FIREWALL. That said,if they have no critical data, can handle a reasonable amount ofdowntime for rebuilding their network if they're hacked, and have no money,then maybe its not worth it, otherwise I strongly recommend putting in afirewall. Here are a few points as to why this is better:

1) A router is designed with the idea of assisting communication, while afirewall is designed with the idea of limiting it.


2) Firewalls can do stateful packet inspection

3) As you mentioned, firewalls have more granular control, allowing you tocontrol traffic both ways for example.

4) Many cheap routers have "backdoors" or "administrative passwords" whichallow the company techs to get in regardless of what you've set since, thesecan often be found on warez sites.

5) The default settings on linksys routers (which can come up after a powerloss for example) are not secure.


6) Linksys routers have no logging capability.

7) NAT is no protection unless you have a method of dropping source routedpackets.

If the client is worried about the cost, put together an old box running afirewall specific distro of linux. If they're running M$ boxes, you couldeasily slap in a few copies of ZoneAlarm Pro and have them up and running inunder half an hour if its extra work that you're worried about.


Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"Ok, so the servers are down, the lights are out, and all I have to workwith is a roll of duct tape, a ball point pen, a lighter, and a twenty yearold copy of emacs. Where's the problem? "


_________________________________________________________________

Choose an Internet access plan right for you -- try MSN!http://resourcecenter.msn.com/access/plans/default.asp

Current thread:

Physical Firewalls VS NAT Rick Darsey (Oct 30)
- RE: Physical Firewalls VS NAT Chad Butler (Oct 31)
- <Possible follow-ups>
- Re: Physical Firewalls VS NAT Chris Berry (Oct 31)
- RE: Physical Firewalls VS NAT Leonard.Ong (Oct 31)