RE: Why do I need a firewall?

[Ben Nagy <bnagy () cpms com au>]

> -----Original Message-----
> From: Mullen, Matt [mailto:Matt.Mullen () globaldigitalmedia com]
> Sent: Friday, 17 March 2000 2:43 AM
> To: firewall-wizards () nfr net
> Subject: [fw-wiz] Why do I need a firewall?
>
>
> I have several remote sites that will be Internet connected and I am
> contemplating putting a dedicated firewall in each one of 
> these locations.
> I am somewhat of a beginner at this,  and I am trying to find 
> justification
> for the dedicated firewall as opposed to using the externally 
> connected
> router to filter traffic.  None of the remote sites will have 
> any systems on
> the inside that will need to be accessed from the outside,  
> no web servers,
> smtp, etc.   Couldn't I get away with running NAT on the 
> router with one
> global IP address on the outside Internet connection, private 
> non-routable
> IP addresses on the inside,  and then lock down the router 
> further with
> access lists?  

Yes.

> Wouldn't this provide adequate security to 
> keep intruders
> from the Internet out?   

For some definition of "adequate". A properly configured router with ACLs
and NAT fixes pretty much all of the pure TCP/IP external entry problems.

> What would be the vulnerabilities in 
> implementing
> this type of scenario?  

The ones you would probably have left with a "dedicated" firewall. Users
DL'ing trojaned apps, smart users (or trojans) using HTTP to tunnel anything
they like, Denial of Service, malicious Java apps that slay the browser and
the host beneath them etc. Using straight packet filters you'll probably
need to have some sort of a hole to allow incoming UDP for DNS. If you
_must_ use active FTP you'll need to have another.
 
> Thanks in advance,
>
> Matt Mullen 
> Sr. Network Admin
> GlobalDigitalMedia.com

My _personal_ take (without doing a risk assessment of your remote sites) is
that something like a Cisco router with ACLs and NAT - especially now that
they do "reflexive" access lists which let you get pretty stateful - is good
enough for most sites that don't have externally accessible services.

IMNSHO, HTH, YMMV, IANAL etc etc ;)

Cheers!

--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520