David, First, you should have a good definition of what a firewall is - it's a chokepoint for your network, through which traffic passes and is inspected, and is either allowed or denied according to your security policy. There might be one or more physical and/or logical entities that perform that inspection and validation, but it is logically that single point.
NAT is not a firewall. NAT hides IP addressing schemes from the outside of the firewall, but if you are allowing external connections to a public IP address, and making the translation to an internal IP address, NAT doesn't do a thing for you WRT to security. You have the same exposure that you would with a straight exposure to the Internet with a machine that has a public IP address on it. NAT can and usually is added to a firewall for the other reasons that you stated, but is not in any sense a security technology. There are basically two kinds of firewalls - packet filters and application proxies. Some (most anymore, actually) firewalls combine both techniques, to try to get the best protection possible. Packet filters inspect each packet as they pass through the firewall and apply a set of rules (filters) which describe the security policy in place - this set of adresses can receive packets on that port number from this set of address, that set of addresses can receive packets on that set of port numbers from that set of IP addresses, etc. Stateful Inspection is an advanced form of packet filtering, whereby it keeps state for your traffic, and might or might not do full packet reassembly as well (better firewalls do perform reassembly). Thus, the state of the connection(s) between machines is kept, so that the rules can be applied to a whole conversation, which might involve many sets of ports which are negotiated dynamically. Stateful Inspection makes sure that, for instance, someone doesn't send an ACK packet through your firewall without the earlier parts of the TCP three-way handshake between the endpoint machines having been accomplished. The shortcoming of a packet filtering firewall is that it doesn't understand the protocol(s) involved in the conversation, so that if someone is abusing it (too many telnet logins, malformed application headers such as overlong SMTP commands, etc.), it can't know that, and it can't protect you against that kind of threat. Thus the utility of the other major category of firewall - an application proxy. This technique involves writing a set of mini-servers running at your choke point that actually understand the protocol being proxied, such as FTP, SMTP, RealPlayer audio/video, POP3, etc., and makes sure that the conversation follows the rules of the protocol, and might even keep track of other protocol-dependent attributes, such as password attempts for services (like telnet) offered to the public interface, and abort a session when it detects too many bogus attempts from a particular source IP address. It also might offer virus checking for email passing through either the SMTP or POP3 or IMAP4 proxies, or filter out Java or JavaScript from web traffic. The shortcoming of a pure application proxy kind of firewall is that it only offers the protocols it understands - if it doesn't know about the new whizbang coffee-machine-control protocol, you can't pass it through until someone writes the proxy for it and enables it on your firewall. Hope this helps, at least a little, and I also hope this doesn't offend those who know more about firewall than I do. Kurt | -----Original Message----- | From: David Ellis [mailto:[EMAIL PROTECTED]] | Sent: Thursday, May 02, 2002 16:02 | To: '[EMAIL PROTECTED]' | Subject: Nat versus stateful inspection | | | | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | Hi List, I was wondering if someone could clarify something for me, I | know that NAT was developed with conservation of address space in | mind and not with security. What are the implications and security | aspects of just using NAT as a firewall instead of going with a | stateful inspection firewall? Are their vulnerabilities in NAT and if | so what are they. What are the differences of NAT versus stateful | inspection etc. Any thorough explanations would be greatly | appreciated or links to articles, etc. | | Sincerely, | David Ellis | Systems Engineer | MCSE, CCSE, CCA, CCNA | | | -----BEGIN PGP SIGNATURE----- | Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> | | iQA/AwUBPNHFK6raIKo8Q3RHEQJ1rACfYosydrUlWVg2/pa4hJCjdQtzeUwAnjOd | 01Q45VbLYRUGdjqNllgUZ11Q | =yut+ | -----END PGP SIGNATURE----- |