Routers vs. Firewalls

By the way, when you (Leythos) say "they can map IP to IP" that is still NAT, just not PAT. Good firewall's can be in NAT/PAT, true routing, or transparent. Home 'routers' are never truly routers. Dig.

Firewall Appliances don't have to have NAT enabled - they can map IP to IP and still provide protection. If the Router you purchase only has NAT and can't protect you once you setup routing in a 1:1 manner, then it's just a NAT router.

Most of the sub $200 devices are just simple NAT boxes that are not Firewall Appliances, but the marketing departments of those vendors have not been challenged, so they keep using the name/term.

For home users a NAT box is sufficient for protecting their computers/network, but not for a office/company.

NAT IS one to one. I think you are talking about PAT (port Address Translation)...

There is confusion (deliberate?) about "extra security" when using NAT/PAT. Although this is minorly true you are right to say it is NOT a firewall.

Also true. Although NAT/PAT breaks some protocols (IPSec, SNMP, FTP (non passive)). When using NAT/PAT you need special "helper" functionality to make these protocols work...

OK. A firewall can only be a firewall if it can somehow filter packets.

There are three GENERAL types of firewalls: Non statefull (like ACLs on a router without an "established" command) Statefull (Most firewalls) Proxy/Application (Layer 7) (Proxy and Application firewalls are not exactly the same but can be group because they operate at the same layer 7)

Now, you may have noticed there is no meantion of NAT/PAT. Some companies claim (taking advantage of customers) that a NAT/PAT router gives you more security. This is true. It does not give you huge amount of security but it does give you additional. The reason for this is most NAT/PAT devices function by allowing anything out but, only established connections in. Hence the "additional" security. ***Special note: STATIC NAT (outside IP mapped to an internal IP) does allow incoming connections in, while PAT does not.

However, a router with NAT/PAT is not a firewall if it does not have some way of filtering packets....

Michael

I am tired of talking about it but I'll through in my $0.02. You don't have FW. :)

Maybe, it has SPI, some other firewall like features, set some policies, can be used in a dedicated FW system and be called part of the solution. But it's not a FW appliance. :)

Duane :)

Phillip Pi wrote in news:d29qsr$e4f$1 @news2.symantec.com:

I am tired of talking about it but I'll through in my $0.02. You don't have FW. :)

Maybe, it has SPI, some other firewall like features, set some policies, can be used in a dedicated FW system and be called part of the solution. But it's not a FW appliance. :)

Duane :)

Jose Maria Lopez Hernandez wrote in news:42491d60_2@x- privat.org:

you always get what you pay for. sometimes you get less then what you paid for, but rarely do you get more.

;-)

A router doesn't even need to do NAT or PAT to be a router, it just must route traffic between two networks. So I think home routers are true routers, but not "good" routers.

Regards.

Yes but the rest of the world calls the PIX 505 crap.

You might as well use some Linxus freeware, the PIX 505 is such an out of date nonfunctional device.

If you want a firewall that deals with todays threats (ie not the threats from the early 90s) then look at Fortinet, Netscreen, or Sonicwall.

Not true anymore. All of the PIXs have a web GUI now... The PIX 501 is a damn good little firewall. Besides at least the PIX 501 is a REAL firewall compared to these little crappy fake ones.

Michael

Hell no! Netscreen is a POS. Sonicwall? Spare me. Fortinet I am not familiar with....

Michael

True. However a decive that is ultizing NAT (or PAT) is just a NAT/PAT device it is NOT a firewall...

Well, since your default route is out to your ISP having a router their is really pointless. Have a firewall which has a default route pointing to your ISP but also actively filtering packets is a better idea.

I personally do not like NAT. It is a kludge meant to by time until IPv6 came out. It breaks many protocols. You need special "helper" software to make Active FTP, SNMP and IPSec work.

Michael

it genurally, boils down to the fact that NAT which is a networking protacal, behaves in a firewall way, (ish), that is it refuses extenal conections that havn't been requested.

home routers are genurally better to have at the gate way than any pc, as the attack vectors are that much smaller.

roger

Routing is the act of switching packets between networks. Firewalling is the act of providing access control between two endpoints, whether those endpoints are entire networks or single devices. A computer with two NIC's connected to two different networks and with IP forwarding enabled, is a router; not much of one but nonetheless, it routes. An enterprise level router appliance will usually have an extensive feature set that allows a good level of firewalling. An enterprise level firewall appliance will usually have multiple interfaces to connect different networks so it must route between those networks. So why do we have both if routers can firewall and firewalls can route? There are many reasons and these have changed over the years. With the advent of ethernet switches, network design has changed a great deal and the manufactures of these products put feature sets on them that focus on the particular task;routing or firewalling.

The home units combine several technologies into something simple that most people can setup without much trouble. They provide routing, DHCP server, switch ports, and some low level of firewalling, most of which can be automatic for the user, but none of them provide extensive firewall feature sets.

If you really need or want a full featured firewall, consider a PIX 515 or something similar. I know that the PIX 505 is popular with broadband or DSL users but this device works on the same principals as the other home devices. It does provide AES encryption (if you need that at home) and has a good firewall feature set that is more extensive than the competetors. And it NAT's/PAT's the same way as the others. Put it this way; if I didn't have a 515 for free, I'd buy a 505 because that's all I could afford.

If you decide to use an enterprise firewall and have a broadband connection, check with your ISP and see if you can lease a permanent IP address. Many of them will do it on request but don't advertise the fact. If you can get one (it will cost you of course), configure one ethernet interface with the address and connect that interface to your cable modem. Then configure the default route on the firewall to the gateway provided by the ISP. After that, you can address the other interfaces anyway you like, something you can't do with the home units, and you can fully control all traffic. If you can't get a permanent IP, your next hope is that the firewall can DHCP one interface only and assign the default route to the appliance as a whole. Either that or you'll find yourself configuring addresse on it a lot.

This is expensive; the enterprise level units are marketed at corporations, not single users, and it requires knowledge of the individual product line to configure it. Once again, if your looking at home level devices, take a look at the Cisco PIX 505. By the way, Cisco calls this a firewall.

-JG

Unless the 505 is a simple drop-in device that provides all that's needed in a simple to manage package, home users should avoid it. I've not done the 505, but if you have to configure it using a text interface like other CISCO hardware it should be avoided.

I've not installed any of the small SOHO units in a long time, this is good to know. When it comes to small units I like the WatchGuard, in fact, I like WatchGuard for any firewall solution.

There is also a Brick firewall that I've considered purchasing for testing, but I've not got one yet.

yes indeed its just from a very simplistic point of view acting almost like one.

mislabling NAT as a firewall is wrong i feel, though i do understand why companies might wish to do so.

i have fairly simple router, luckly for me i don't run any services though the router, so i don't have to muck about with port forwarding as such, while i have heard this argument before, i still rather like it, for me and others it does work, though i'd imagine it would be pig to work with in some situations

roger

Taking a moment's reflection, Duane Arnold mused: | | I am tired of talking about it but I'll through in my $0.02.

... so tired, you replied twice. Guess that's US$0.04 ... :-p