Firewall Wizards mailing list archives
Re: Why do I need a firewall?
From: Ryan Russell <ryan () securityfocus com>
Date: Wed, 22 Mar 2000 09:18:03 -0800 (PST)
On Thu, 16 Mar 2000, Mullen, Matt wrote:
I have several remote sites that will be Internet connected and I am contemplating putting a dedicated firewall in each one of these locations. I am somewhat of a beginner at this, and I am trying to find justification for the dedicated firewall as opposed to using the externally connected router to filter traffic. None of the remote sites will have any systems on the inside that will need to be accessed from the outside, no web servers, smtp, etc. Couldn't I get away with running NAT on the router with one global IP address on the outside Internet connection, private non-routable IP addresses on the inside, and then lock down the router further with access lists? Wouldn't this provide adequate security to keep intruders from the Internet out?
It's all a matter of flexibility. People like "real firewalls" because they tend to handle more protocols, better, and with better logging and access control. If you've got a real simple set of requirements for protocols you want to allow, and don't need things like Javascript filtering, porn site blocking, etc.. You might get away with a NAT router. Even FTP is handled, though not always carefully (check all the FTP fun lately... NAT routers are almost guanranteed to fall for these games.) In one design I've done, I've taken Internet-connected branch sites, used the Internet links solely as a VPN (all traffic is forced onto the tunnel) and sent everything back to HQ to let in emerge onto the Internet via a "real" firewall. You might not like the performance hit. Ryan
Current thread:
- Why do I need a firewall? Mullen, Matt (Mar 21)
- Re: Why do I need a firewall? Ryan Russell (Mar 23)
- <Possible follow-ups>
- RE: Why do I need a firewall? Ben Nagy (Mar 23)
- Re: Why do I need a firewall? - another question Fred Decker (Mar 28)