Firewall Wizards mailing list archives
Re: Benefit of firewall over NAT-only 'protected' network
From: Paul Robertson <proberts () patriot net>
Date: Wed, 28 May 2003 09:31:34 -0400 (EDT)
On Wed, 28 May 2003, Hugh Blandford wrote:
Hi Paul et al., I recognise what you are saying, but what I was trying to understand was, are the low-end appliance 'firewalls' really providing much more security than NAT? In a small office/home situation if people are going to use IRC,
My point was that they're able to provide more security- but if you're going to align a security policy with a NAT device, then you're giving up a large part of the point of having a firewall. If we, as a community can get people to use *firewalls* for *firewalling* then we'll have done both ourselves and everyone else a better service than to say "oh, just use anything that'll let you connect."
they would just reconfigure their firewall to do so, after all they own it. I was just trying to get all the 'block xyz outbound' issues out of the way. Can NAT sessions be hijacked or somehow abused to give access to the internal network? There is the case of visiting a hostile website and "inviting in" some problematic programs, but apart from that are the appliance based firewalls doing more than that?
In general, NAT based things aren't written for security, they're written for network re-mapping, so there can be things that escape the author that a firewall author shouldn't miss (or may have tested by a 3rd party for some level of assurance.[1]) Firewalls should handle things like source routed packets, overlapping fragments, etc. They also may handle things like VPNs, authentication, "enterprise" policy enforcement, etc. Paul [1.] Obviously, I'm highly biased about which certification program a firewall should pass to be on the market. My employer owns ICSA Labs, this list is hosted from there, etc. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Benefit of firewall over NAT-only 'protected' network Hugh Blandford (May 27)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 27)
- Re: Benefit of firewall over NAT-only 'protected' network Tina Bird (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Frank Knobbe (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Chuck Swiger (May 30)
- Re: Benefit of firewall over NAT-only 'protected' network Frank Knobbe (May 31)
- Re: Benefit of firewall over NAT-only 'protected' network Tina Bird (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 27)
- Re: Benefit of firewall over NAT-only 'protected' network Hugh Blandford (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Bill Royds (May 30)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network ark (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 28)
- <Possible follow-ups>
- Re: Benefit of firewall over NAT-only 'protected' network salgak (May 28)