Firewall Wizards mailing list archives

Re: NAT on router vs. firewall

From: Neil Pike <NeilPike () compuserve com>
Date: Wed, 15 Jul 1998 14:10:40 -0400




<< From: Bill_Royds () pch gc ca
What do you do for a service that you want to limit to a known set of
source IP numbers?
Ypu wopuld have to have your router have a number of filter rules on 
input
IP which eventually makes your router an inefficient secondary 
firewall.
 I know that dedicated hackers can spoof source IP numbers but a casual
cracker has more difficulty so filtering on source IP (which a firewall 
can
do more readily than a router) raises the bar to attacks. One has to 
fake a
source IP, fake the sequence numbers, capture replies ..., rather than 
just
call the router with a session. >>
 
 Bill,
 
 If I want to limit it to certain source-ip addresses then I translate 
these into a separate pool of internal addresses in a one-for-one 
manner.  (Which is something I do for one system where only one known 
internet address is currently to be allowed through).

 Neil Pike MVP/MCSE
 Protech Computing Ltd

Current thread:

NAT on router vs. firewall Gregory Blake (Jul 12)
- <Possible follow-ups>
- Re: NAT on router vs. firewall Bill_Royds (Jul 14)
- Re: NAT on router vs. firewall Neil Pike (Jul 14)
- Re: NAT on router vs. firewall Neil Pike (Jul 15)
- Re: NAT on router vs. firewall Bill_Royds (Jul 15)
- Re: NAT on router vs. firewall Neil Pike (Jul 17)
- Re: NAT on router vs. firewall Bill_Royds (Jul 19)