Ben Ryan wrote:
>
> From the responses which I agree with on the whole, I don't
> think any valid reasons have been given as to why a firewall
> is superior to a NAT box.
Hmmm.. does your NAT box support active FTP out of your protected network?
Wanna bet it's vulnerable to data channel vulnerabilities?
(i.e. anyone can open any connection to your "protected" computers)
Does your NAT box handle these new flashy multimedia protocols
that open streams in all directions? Wanna bet their exploitable
too?
How well does your NAT box handle connection closing? If you open
a connection out through the NAT, can I then, as the recipient, keep
it open after your computer thinks that it's closed, and start
sending SYNs back in through the NAT device and wait until some
RPC service or something starts listening on that port?
Does your NAT device correctly block firewalking attempts?
On portmapped servers behind the device?
Back through dynamically opened connections to the outside?
Can your NAT device LIMIT what kind of traffic that you can
send to the outside world? If you've got a trojan sitting
on your network (received through mail, whatever) it'll
likely try to communicate with the outside world. If your
firewall can block and alarm that traffic, you've bought
yourself time.
Does your NAT device do audit logging, so that you have
some sort of chance of detecting suspicious behavior?
No, thought not.
... want me to go on? :)
What it basically boils down to is this:
If the product wasn't designed for security, top down,
don't use it for security purposes, if you security
is what you need.
A generic "NAT device" is designed for functionality,
not security. Believe me, I know. I've ripped the guts
out of more than one of those boxes. They all make the
same mistakes. Does "The early versions of the Windows
IP stack" ring a bell?
... This ofcourse assumes that you need "security".
If you're a Joe User sitting at home, a NATting box
is probably gonna get you all security that a "real"
firewall would, since Joe User is going to click
on any .exe file he gets in his inbox, as long as
it is "porn.exe" or "fun.exe", or whatever.
Hmm.. wonder if there's a market for "Pavlov Firewalls";
zap the user with a quick 1000-volt shock every time
they do something stupid. Of course, the definition
of stupid would entirely be up to The BOFH(tm), which,
of course, would also have Centralized Administration(tm)
of all firewalls available to him ;)
/Mike
... only 1500 more mailing list messages to go before
I've caught up with my two-week break. Eww.
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
