A true hardware firewall does more than NAT, correct?

[TechnoPro]

Granted NAT does offer an additonal layer of security, but I was under the impression that a true hardware firewall employed SPI and actually inspected the traffic.

Lately, a lot of people, technical and otherwise, are throwing out how they are behind a hardware firewall when in reality, it usually boils down to a SOHO router providing NAT functionality only.

Even in product descriptions like for this Linksys Router they write "the the built-in NAT technology acts as a firewall protecting your internal network."

Is this all an issue of semantics where at the consumer level, a hardware firewall is a NAT device, and at the enterprise level, a hardware firewall is the real deal?

 

[Nothinman]

Is this all an issue of semantics where at the consumer level, a hardware firewall is a NAT device, and at the enterprise level, a hardware firewall is the real deal?

It's always an issue of semantics, home users don't know what they need but they know buzzwords.

A real 'hardware firewall' is usually just a normal box running from a flash rom with a restricted interface. Some of the linksys devices run Linux, I'm sure you could find some that run a flavor of BSD if you looked hard enough. My view is probably skewed because I'm a big Linux zealot and I would recommend a Linux or OpenBSD box over most commerical alternatives because of the added control you get, but something like a Secure Computing SideWinder isn't bad either since it's also just a hacked up unix.

But generally, yes a good firewall will do more than just NAT and will be able to do things like statefull inspection and usually run some sort of application layer proxy like squid.

 

[Carapace]

Good question.
I'd say yes, by definition it creates a barrier between you and the Internet.

Even a fancy Cisco is just a glorified NAT/PAT device......at least that's my opinion.

 

[spidey07]

Originally posted by: Carapace
Good question.
I'd say yes, by definition it creates a barrier between you and the Internet.

Even a fancy Cisco is just a glorified NAT/PAT device......at least that's my opinion.

not really. NAT/PAT are just features of a firewall.

the pix is a true firewall (I forget but there is some kind of rating all the top one like checkpoint, cisco have).

They examine each and every packet that comes or leaves an interface an determine if it is allowed. They also look at the upper layers of the OSI model to securely allow H.323, FTP and sqlnet, mail that can negotiate source/desintation ports above layer3/4.

they also have other security features to detect things like SYN attacks or other basic signature attacks and shun or block them.

Is a SOHO router a firewall? Not really, but for all intents/purposes you can call it one because it performs the basic of "don't let anything in that is part of an established connection"

 

[Cheetah8799]

Is this all an issue of semantics where at the consumer level, a hardware firewall is a NAT device, and at the enterprise level, a hardware firewall is the real deal?

Pretty much...

For most home use, a Linksys/Netgear/DLink router works fine as a firewall. If you want something better though, you could check out the Smoothwall and IPCop firewall linux distros, they are pretty good.

 

[Garion]

To add a bit to what Spidey mentioned. True firewalls support stateful packet inspection:

Stateful inspection is a firewall architecture that works at the network layer. Unlike static packet filtering, which examines a packet based on the information in its header, stateful inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valid. An example of a stateful firewall may examine not just the header information but also the contents of the packet up through the application layer in order to determine more about the packet than just information about its source and destination. A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table. Because of this, filtering decisions are based not only on administrator-defined rules (as in static packet filtering) but also on context that has been established by prior packets that have passed through the firewall.

In short, to look at not just the basic headers but keep track of the session going through the firewalls to make sure it's really a valid response. Let's say I connect from my PC on port 22342 to your web server on port 80 and you respond. Most NAT deviceswill just keep track of those two ports and allow traffic. A packet with Stateful Packet Inspection will go down into the packets and make sure they are really the same TCP session. Otherwise, it would be relatively easy to write a hack that would accept a connection on port 80, then automatically send a SYN attack back to the origin server on the originating port. A normal NAT router would probably just pass it through. Something doing stateful connections, however, would recognize that the SYN attack wasn't a response to a request, so it would get dropped.

Very short answer: Yes, there is a significant difference between a "real" firewall and a simple NAT device, but most users don't need a real firewall - Just businesses or people with something that they really want to protect.

- G

 

[browner]

Would you reccomend the adverage user run a firewall behind a cheap NAT router?
I have ZA running at the moment but set to accept ANY connections from other LAN IP's (except the router). This allows me to use file/printer sharing while ZA remains on high security. I excluded the router IP so that persumably internet traffic is filtered? is that correct?

 

[Goosemaster]

think of it this way.

Even the cheesiest of firewalls is a decent firewall if you create adaquate rules, assuming that we are only regarding the rules and not the devices other weaknesses. However, usually you are limited to the certain OSI layers and detail that your device can look at in the packet.

The better the firewall, the more it can decypher what type and exactly what information is in a packet, and allow or deny based on content. Simple firewalls can block ports and customize port and IP based restrictions. As you look at more an more expensive options, the number of options available start to resemble applications that you see on workstations.

NAT inclusion is just a consequence of having everyone using a consumer router and various workstations behind it. Basically, any external packets must be redirected to the appropriate terminal, including identification related packets, so, to put it simply, they are not as visible from the internet as a directly connected terminal. It is a feature of routers and not of firewalls. Because it is in the same device as the simplistic firewall, "they" just mix and max terms and corresspondance at their leisure.

SPI is a featuer that allows the firewall to inspect individual packets for compliance with connection rules. Even so, the capacity of your firewall is what determines what it can actually read and understand out of each packets, such as: virus protection, DoS attacks, spoofed addresses etc.


In the end, a firewall is jsut a gatway there to control incoming and outgoing traffic. The higher the grade of the firewall, the deeper into the packet it can look in search of prerequisites.

 

[Goosemaster]

Originally posted by: browner
Would you reccomend the adverage user run a firewall behind a cheap NAT router?
I have ZA running at the moment but set to accept ANY connections from other LAN IP's (except the router). This allows me to use file/printer sharing while ZA remains on high security. I excluded the router IP so that persumably internet traffic is filtered? is that correct?

damnit...the damn forums deleted my reply:|


Anyways, ZA will cover the upper layers well such as connection sessions up to application-based rules/group policies. For example, if an ftp client is trying to mess with your FTP server, the cheap NAT box won;t know what to do, but ZA might be able to understand an attack and block it. In this case the NAt box might think that it is just redirecting regular FTP traffic, unless it is SPI, and even then, it will probably still get through.

As for your preoccupations, just create a rule. From memory, I believe you can create specific rules based on protocols very easily on the free version of ZA. Just tell it to notify you of connections and ask you what to do everytime. Then print, and let it create the rule when it prompts you. DO the same for file sharing. Then, after you have those specific rules, disable the very general rule that allows all traffic to those IPs.


As simpel as that.