Nat and firewall


I had quite an interesting discussion with a colleague today. He insists that if you use NAT, nat itself must be considered a firewall. This is a statement that I myself have big problems understanding, but sadly I lack arguments. Either pro or against considering NAT a firewall solution. Can someone please give me some input regarding this?


Reply to
Loading thread data ...

NAT is a routing solution, not a firewall solution. It has Firewall Like benefits, but it's not a firewall.

NAT can be used for the following methods:

1:1 1:MANY

In a 1:MANY solution you have many users sharing 1 IP, so unsolicited inbound traffic doesn't have any idea where to go on the inside.

In a 1:1 NAT solution, the inbound traffic just passes through, so there is no blocking.

The SOHO NAT solutions you see marketed as firewalls include some limited port forwarding and some outbound port blocking, but they don't know the difference between HTTP and HTTP or FTP, all they know is pass a port or don't pass it.

Reply to

Which does offer some measure of protection when, combined with SPI, makes it a firewall (by the original definition of the term.) Let's say a one way firewall.

Reply to

Saying it's a "one-way" firewall is like saying "the check is in the mail".

Either a firewall blocks ALL unpermitted traffic or it's not a firewall. Since those devices, even with SPI, still allow all outbound, by default, and they can't really be configured to understand the difference between http and ftp, they're not really firewalls.

Don't get me wrong, I think ISP's should implement NAT on ever install unless the user requests a public IP, but that still doesn't make it a firewall.

Reply to
Leythos Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.