Firewall Wizards mailing list archives
RE: Why do I need a firewall?
From: Ben Nagy <bnagy () cpms com au>
Date: Thu, 23 Mar 2000 09:12:58 +1030
-----Original Message----- From: Mullen, Matt [mailto:Matt.Mullen () globaldigitalmedia com] Sent: Friday, 17 March 2000 2:43 AM To: firewall-wizards () nfr net Subject: [fw-wiz] Why do I need a firewall? I have several remote sites that will be Internet connected and I am contemplating putting a dedicated firewall in each one of these locations. I am somewhat of a beginner at this, and I am trying to find justification for the dedicated firewall as opposed to using the externally connected router to filter traffic. None of the remote sites will have any systems on the inside that will need to be accessed from the outside, no web servers, smtp, etc. Couldn't I get away with running NAT on the router with one global IP address on the outside Internet connection, private non-routable IP addresses on the inside, and then lock down the router further with access lists?
Yes.
Wouldn't this provide adequate security to keep intruders from the Internet out?
For some definition of "adequate". A properly configured router with ACLs and NAT fixes pretty much all of the pure TCP/IP external entry problems.
What would be the vulnerabilities in implementing this type of scenario?
The ones you would probably have left with a "dedicated" firewall. Users DL'ing trojaned apps, smart users (or trojans) using HTTP to tunnel anything they like, Denial of Service, malicious Java apps that slay the browser and the host beneath them etc. Using straight packet filters you'll probably need to have some sort of a hole to allow incoming UDP for DNS. If you _must_ use active FTP you'll need to have another.
Thanks in advance, Matt Mullen Sr. Network Admin GlobalDigitalMedia.com
My _personal_ take (without doing a risk assessment of your remote sites) is that something like a Cisco router with ACLs and NAT - especially now that they do "reflexive" access lists which let you get pretty stateful - is good enough for most sites that don't have externally accessible services. IMNSHO, HTH, YMMV, IANAL etc etc ;) Cheers! -- Ben Nagy Network Consultant, Volante IT PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
Current thread:
- Why do I need a firewall? Mullen, Matt (Mar 21)
- Re: Why do I need a firewall? Ryan Russell (Mar 23)
- <Possible follow-ups>
- RE: Why do I need a firewall? Ben Nagy (Mar 23)
- Re: Why do I need a firewall? - another question Fred Decker (Mar 28)