Re: Why do I need a firewall?

[Ryan Russell <ryan () securityfocus com>]

On Thu, 16 Mar 2000, Mullen, Matt wrote:

> I have several remote sites that will be Internet connected and I am
> contemplating putting a dedicated firewall in each one of these locations.
> I am somewhat of a beginner at this,  and I am trying to find justification
> for the dedicated firewall as opposed to using the externally connected
> router to filter traffic.  None of the remote sites will have any systems on
> the inside that will need to be accessed from the outside,  no web servers,
> smtp, etc.   Couldn't I get away with running NAT on the router with one
> global IP address on the outside Internet connection, private non-routable
> IP addresses on the inside,  and then lock down the router further with
> access lists?  Wouldn't this provide adequate security to keep intruders
> from the Internet out?   

It's all a matter of flexibility.  People like "real firewalls" because
they tend to handle more protocols, better, and with better logging and
access control.  If you've got a real simple set of requirements for
protocols you want to allow, and don't need things like Javascript
filtering, porn site blocking, etc.. You might get away with a NAT
router.  Even FTP is handled, though not always carefully (check all the
FTP fun lately... NAT routers are almost guanranteed to fall for these
games.)

In one design I've done, I've taken Internet-connected branch sites, used
the Internet links solely as a VPN (all traffic is forced onto the
tunnel) and sent everything back to HQ to let in emerge onto the Internet
via a "real" firewall.  You might not like the performance hit.

                                Ryan