I was wondering if somebody could clarify the difference between a cheap retail firewall, like a D-Link you might get at Staples, with professional grade firewalls from Symantec or Watchguard. If there is no serving going on behind the firewall, (ie, no virtual server passthrough), is there really a difference in security? Doesn't this eliminate the need for SPI? Are $600 firewalls harder to defeat than $40 firewalls? Is it just the bells and whistles of logging and alerts?
Thanks, tslugmo
You need to separate the idea that a router with NAT is a firewall from what a real firewall is/does. Routers with NAT provide a blocking service based on the NAT function, nothing else.
Firewalls may or may not use NAT and provide filtering of traffic based on traffic type (not always a port number) and do it in both directions.
There is a huge difference between a router with NAT and a firewall of any type.
Yes, in one case, there was as sorority that had a NAT system installed, there were 6 machines that were infected with a virus that had it's own SMTP server. The infected machines were sending out infected emails directly form their systems, bypassing the internal SMTP server. Had a real-firewall been installed (or properly configured high-end router) SMTP would not have been permitted from the local devices (except the SMTP server) to the internet, or it would have only been permitted from the workstations to the ISP's SMTP server for outbound messages. A generic router would not have prevented this problem from reaching the world.
$600 firewalls, or any firewall that is a real firewall, is harder to defeat when properly configured than ANY router with NAT and SPI or any router with just NAT.
If you've been reading these groups for a couple weeks you would already know this :-)
If I don't want anything to initiate access to my network from outside, besides normal responses to HTTP and SMTP requests, do I need to go beyond NAT? If there's no server or remote access going on?
Thanks, tslug
In "general" if you have a NAT device that also supports SPI, and you have no ports forwarded inbound, and the device is not a wireless device, then you are about as safe from unsolicited inbound as you can get without buying a real firewall.
This method does nothing to control rouge web sites, infected email, or already compromised machines in your network.
The NAT with SPI will ensure that only things your computer contacts will be able to communicate with it.
What about NAT w/o SPI? If that's not safe, can you explain why not?
Thanks for your patience, tslug
From what I understand, there are issues without SPI that allow an attacker to ride the inbound port that is being used by the local and remote client to communicate - this means that an anonymous system, if it could determine what ports your computer was using to talk with another computer, could ride in on that same port.
I could be wrong, it's not a area that I have studied. I have also never seen a NAT system compromised by not having NAT w/SPI.
Thanks for the correction, I knew there as something out there like that, but I didn't remember what it was.
You confuse SPI with TCP sequence numbers. No half-decent implementation is vulnerable to that.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.