Firewall Wizards mailing list archives
Order of Firewall<->NAT - Summation
From: Bob Washburne <rcwash () concentric net>
Date: Sun, 26 Aug 2001 12:37:31 -0400
A while back we had a thread about whether it was better to place a
firewall before or after the NAT. The following is the summation of the
pros, cons and issues.
In the setup I am experimenting with it was proposed to have two
separate systems used to secure a LAN from the Internet. The
configuration is to look something like this:
Internet <--> NAT <--> Firewall <--> LAN
The NAT machine is a 486 DX2 66 running Open BSD and nothing else.
The Firewall is a P166 running Open BSD and configured as a bridge.
The LAN uses a non-routable IP subnet.
This configuration has the following advantages:
-) Have non-routable IP addresses, the LAN cannot be directly
accessed/attacked from the Internet.
-) Being a bridge, the firewall has no IP address and so cannot be
accessed/attacked from the Internet.
-) The NAT has no services, so any packet sent directly to it (i.e., not
sent in responce to a translated packet from the LAN and thus a
potential attack) is simply discarded.
-) The only way for an attacker to access the LAN is to crack the NAT
and launch from there.
But the question arose as to whether it was better to place the firewall
forward between the NAT and the Internet rather than behind the NAT.
I.E., is this:
Internet <--> Firewall <--> NAT <--> LAN
better than this:
Internet <--> NAT <--> Firewall <--> LAN
In one sence, it makes no difference. Since the NAT machine offers no
services it simply drops all packets sent directly to it as if it were a
firewall. So the packets leaving the NAT would be the same no matter
which side the Firewall was on.
In another sence, it make no difference since the Open BSD NAT requires
that IPFiltering be enabled. So you have an IPFilter out in front of
the NAT whether or not you want it.
But there does seem to be two issues which differ depending on the
Firewall placement.
1) IDS. If you place the Firewall in front, then you will see all the
traffic hitting your system. Good if you need to justify your work to
management ("See what we are protecting against!"). If you place the
Firewall to the rear then the only traffic you will see is what came
through the NAT. Good if you only want to see what's getting through.
2) Potential port DOS. Let's take the situation where something like
Code Red gets through as an email attachment and the user is foolish
enough to run it. The virus/worm now tries to send packets on port 1337
back to Central Control. But your Firewall is tightly configured and
the packets are summarily sent to the bit-bucket.
If the Firewall is behind the NAT, then the NAT never sees the packet
and all is well. But if the Firewall is in front of the NAT, then the
NAT dutifully translates the packet and reserves a port for the
responce. A responce which will never come because the Firewall killed
the packet on its way out the door. So that port number is tied up for
a while.
Now, the NAT will eventually time out and release the port it used back
to the pool. But if the virus/worm is insistant enough it is
concievable that all the ports available to the NAT could be taken up
before they start to time out and you have Denial of Service.
I grant that this is an unlikely situation, but I am stretching to find
any substantive difference in the Firewall placement.
I believe the bottom line is that with Open BSD you must set up a
firewall on the NAT machine and so you will have the full packet
visability/recording if you wish to use it. The seperate Firewall after
the NAT should be almost useless, acting only as a miner's canary to
tell you when something bad has happened. If someone should crack into
the NAT, then the firewall would detect, stop and report any attempt to
access the LAN. If something got through to the LAN and tried to report
out, the Firewall would detect, stop and report that activity as well.
So the Firewall itseld would act as an IDS without the need for
installing any IDS software.
Can anyone think of anything to add to this?
Thanks for all the input.
Bob Washburne
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- ISA server versus PIX John Scheidemantel (Aug 26)
- Order of Firewall<->NAT - Summation Bob Washburne (Aug 27)
- RE: Order of Firewall<->NAT - Summation Rocky Stefano (Aug 28)
- Re: Order of Firewall<->NAT - Summation Bob (Aug 29)
- Re: Order of Firewall<->NAT - Summation Paul Armstrong (Aug 31)
- RE: Order of Firewall<->NAT - Summation Rocky Stefano (Aug 28)
- Order of Firewall<->NAT - Summation Bob Washburne (Aug 27)
- Re: ISA server versus PIX R. DuFresne (Aug 31)