Re: Benefit of firewall over NAT-only 'protected' network

["Bill Royds" <Bill () royds net>]

I use a D-link cable modem swith at home. I have looked at it fairly
carefully as a firewall and it seems to be reasonable for an outbound only
network,
It has a default "deny all incoming, allow all outgoing" rule set, but does
allow one to tighten that by switching to deny all out with exceptions in a
table. It logs attempts to connect from outside (but only to a ring buffer
that overwrites earliest entries). It handles FTP  properly and can act as a
DHCP client to ISP and DHCP server to LAN.
  For $90CAN, it is a heck of a lot safer than connecting directly to
Internet or even a box that just does NAT.
Of course, you should also be running other security like host based NIDS
and virus scanners on the hosts behind the box. I was running Snort behind
it but only found one or two alerts a day and then only on traffic that was
allowed through (IRC).

----- Original Message ----- 
From: "Paul Robertson" <proberts () patriot net>
To: "Hugh Blandford" <hugh () island net au>
Cc: <firewall-wizards () honor icsalabs com>
Sent: Wednesday, May 28, 2003 9:31 AM
Subject: Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network


: On Wed, 28 May 2003, Hugh Blandford wrote:
:
: > Hi Paul et al.,
: >
: > I recognise what you are saying, but what I was trying to understand
was,
: > are the low-end appliance 'firewalls' really providing much more
security
: > than NAT?  In a small office/home situation if people are going to use
IRC,
:
: My point was that they're able to provide more security- but if you're
: going to align a security policy with a NAT device, then you're giving up
: a large part of the point of having a firewall.  If we, as a community can
: get people to use *firewalls* for *firewalling* then we'll have done both
: ourselves and everyone else a better service than to say "oh, just use
: anything that'll let you connect."
:
: > they would just reconfigure their firewall to do so, after all they own
it.
: > I was just trying to get all the 'block xyz outbound' issues out of the
way.
: >
: > Can NAT sessions be hijacked or somehow abused to give access to the
: > internal network?  There is the case of visiting a hostile website and
: > "inviting in" some problematic programs, but apart from that are the
: > appliance based firewalls doing more than that?
:
: In general, NAT based things aren't written for security, they're written
: for network re-mapping, so there can be things that escape the author that
: a firewall author shouldn't miss (or may have tested by a 3rd party for
some
: level of assurance.[1])
:
: Firewalls should handle things like source routed packets, overlapping
: fragments, etc.  They also may handle things like VPNs, authentication,
: "enterprise" policy enforcement, etc.
:
:
: Paul
: [1.] Obviously, I'm highly biased about which certification program a
: firewall should pass to be on the market.  My employer owns ICSA Labs,
: this list is hosted from there, etc.
: --------------------------------------------------------------------------
---
: Paul D. Robertson      "My statements in this message are personal
opinions
: proberts () patriot net      which may have no basis whatsoever in fact."
: probertson () trusecure com Director of Risk Assessment TruSecure Corporation
:
: _______________________________________________
: firewall-wizards mailing list
: firewall-wizards () honor icsalabs com
: http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards