Firewall Wizards mailing list archives
Order of Firewall<->NAT - Summation
From: Bob Washburne <rcwash () concentric net>
Date: Sun, 26 Aug 2001 12:37:31 -0400
A while back we had a thread about whether it was better to place a firewall before or after the NAT. The following is the summation of the pros, cons and issues. In the setup I am experimenting with it was proposed to have two separate systems used to secure a LAN from the Internet. The configuration is to look something like this: Internet <--> NAT <--> Firewall <--> LAN The NAT machine is a 486 DX2 66 running Open BSD and nothing else. The Firewall is a P166 running Open BSD and configured as a bridge. The LAN uses a non-routable IP subnet. This configuration has the following advantages: -) Have non-routable IP addresses, the LAN cannot be directly accessed/attacked from the Internet. -) Being a bridge, the firewall has no IP address and so cannot be accessed/attacked from the Internet. -) The NAT has no services, so any packet sent directly to it (i.e., not sent in responce to a translated packet from the LAN and thus a potential attack) is simply discarded. -) The only way for an attacker to access the LAN is to crack the NAT and launch from there. But the question arose as to whether it was better to place the firewall forward between the NAT and the Internet rather than behind the NAT. I.E., is this: Internet <--> Firewall <--> NAT <--> LAN better than this: Internet <--> NAT <--> Firewall <--> LAN In one sence, it makes no difference. Since the NAT machine offers no services it simply drops all packets sent directly to it as if it were a firewall. So the packets leaving the NAT would be the same no matter which side the Firewall was on. In another sence, it make no difference since the Open BSD NAT requires that IPFiltering be enabled. So you have an IPFilter out in front of the NAT whether or not you want it. But there does seem to be two issues which differ depending on the Firewall placement. 1) IDS. If you place the Firewall in front, then you will see all the traffic hitting your system. Good if you need to justify your work to management ("See what we are protecting against!"). If you place the Firewall to the rear then the only traffic you will see is what came through the NAT. Good if you only want to see what's getting through. 2) Potential port DOS. Let's take the situation where something like Code Red gets through as an email attachment and the user is foolish enough to run it. The virus/worm now tries to send packets on port 1337 back to Central Control. But your Firewall is tightly configured and the packets are summarily sent to the bit-bucket. If the Firewall is behind the NAT, then the NAT never sees the packet and all is well. But if the Firewall is in front of the NAT, then the NAT dutifully translates the packet and reserves a port for the responce. A responce which will never come because the Firewall killed the packet on its way out the door. So that port number is tied up for a while. Now, the NAT will eventually time out and release the port it used back to the pool. But if the virus/worm is insistant enough it is concievable that all the ports available to the NAT could be taken up before they start to time out and you have Denial of Service. I grant that this is an unlikely situation, but I am stretching to find any substantive difference in the Firewall placement. I believe the bottom line is that with Open BSD you must set up a firewall on the NAT machine and so you will have the full packet visability/recording if you wish to use it. The seperate Firewall after the NAT should be almost useless, acting only as a miner's canary to tell you when something bad has happened. If someone should crack into the NAT, then the firewall would detect, stop and report any attempt to access the LAN. If something got through to the LAN and tried to report out, the Firewall would detect, stop and report that activity as well. So the Firewall itseld would act as an IDS without the need for installing any IDS software. Can anyone think of anything to add to this? Thanks for all the input. Bob Washburne _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- ISA server versus PIX John Scheidemantel (Aug 26)
- Order of Firewall<->NAT - Summation Bob Washburne (Aug 27)
- RE: Order of Firewall<->NAT - Summation Rocky Stefano (Aug 28)
- Re: Order of Firewall<->NAT - Summation Bob (Aug 29)
- Re: Order of Firewall<->NAT - Summation Paul Armstrong (Aug 31)
- RE: Order of Firewall<->NAT - Summation Rocky Stefano (Aug 28)
- Order of Firewall<->NAT - Summation Bob Washburne (Aug 27)
- Re: ISA server versus PIX R. DuFresne (Aug 31)