Firewall Wizards mailing list archives
Re: Benefit of firewall over NAT-only 'protected' network
From: "Bill Royds" <Bill () royds net>
Date: Thu, 29 May 2003 19:24:09 -0400
I use a D-link cable modem swith at home. I have looked at it fairly carefully as a firewall and it seems to be reasonable for an outbound only network, It has a default "deny all incoming, allow all outgoing" rule set, but does allow one to tighten that by switching to deny all out with exceptions in a table. It logs attempts to connect from outside (but only to a ring buffer that overwrites earliest entries). It handles FTP properly and can act as a DHCP client to ISP and DHCP server to LAN. For $90CAN, it is a heck of a lot safer than connecting directly to Internet or even a box that just does NAT. Of course, you should also be running other security like host based NIDS and virus scanners on the hosts behind the box. I was running Snort behind it but only found one or two alerts a day and then only on traffic that was allowed through (IRC). ----- Original Message ----- From: "Paul Robertson" <proberts () patriot net> To: "Hugh Blandford" <hugh () island net au> Cc: <firewall-wizards () honor icsalabs com> Sent: Wednesday, May 28, 2003 9:31 AM Subject: Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network : On Wed, 28 May 2003, Hugh Blandford wrote: : : > Hi Paul et al., : > : > I recognise what you are saying, but what I was trying to understand was, : > are the low-end appliance 'firewalls' really providing much more security : > than NAT? In a small office/home situation if people are going to use IRC, : : My point was that they're able to provide more security- but if you're : going to align a security policy with a NAT device, then you're giving up : a large part of the point of having a firewall. If we, as a community can : get people to use *firewalls* for *firewalling* then we'll have done both : ourselves and everyone else a better service than to say "oh, just use : anything that'll let you connect." : : > they would just reconfigure their firewall to do so, after all they own it. : > I was just trying to get all the 'block xyz outbound' issues out of the way. : > : > Can NAT sessions be hijacked or somehow abused to give access to the : > internal network? There is the case of visiting a hostile website and : > "inviting in" some problematic programs, but apart from that are the : > appliance based firewalls doing more than that? : : In general, NAT based things aren't written for security, they're written : for network re-mapping, so there can be things that escape the author that : a firewall author shouldn't miss (or may have tested by a 3rd party for some : level of assurance.[1]) : : Firewalls should handle things like source routed packets, overlapping : fragments, etc. They also may handle things like VPNs, authentication, : "enterprise" policy enforcement, etc. : : : Paul : [1.] Obviously, I'm highly biased about which certification program a : firewall should pass to be on the market. My employer owns ICSA Labs, : this list is hosted from there, etc. : -------------------------------------------------------------------------- --- : Paul D. Robertson "My statements in this message are personal opinions : proberts () patriot net which may have no basis whatsoever in fact." : probertson () trusecure com Director of Risk Assessment TruSecure Corporation : : _______________________________________________ : firewall-wizards mailing list : firewall-wizards () honor icsalabs com : http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Benefit of firewall over NAT-only 'protected' network Hugh Blandford (May 27)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 27)
- Re: Benefit of firewall over NAT-only 'protected' network Tina Bird (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Frank Knobbe (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Chuck Swiger (May 30)
- Re: Benefit of firewall over NAT-only 'protected' network Frank Knobbe (May 31)
- Re: Benefit of firewall over NAT-only 'protected' network Tina Bird (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 27)
- Re: Benefit of firewall over NAT-only 'protected' network Hugh Blandford (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Bill Royds (May 30)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network ark (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 28)
- <Possible follow-ups>
- Re: Benefit of firewall over NAT-only 'protected' network salgak (May 28)