March 12th, 2006, 10:42 AM
NAT vs. Firewall
I recently got a question as follow, I have agree with it if it don't turn on the port mapping of port forwarding function of the router.
"Peter has subscribed to a broadband service and he has recently bought a router to share the Internet connection with his parents. He claims: since the router has a built-in Network Address Translation (NAT) Function, his computers in the network are secure and so there is no need to install a firewall. Do you agree with his claim?"
March 13th, 2006, 01:13 AM
I sort of half agree. If you turn off port forwarding and mapping you will probably not need to have a firewall, as long as the router's security is intact, because if the router is compromised then everything can be turned back on again, etc, etc, but the same could be said for the firewall, because if it is compromised (though there is much less chance of a firewall being compromised, generally).
Originally Posted by poyeah
But another reason you might want a router is to stop SYN floods, or be able to detect them at least, and to be able to detect (and block) things like ACk/FIN/XMAS/NULL scans, and maybe even stop reverse connecting trojans.
So I wouldn't say that you need a firewall in his case if he doesn't start downloading porn and the complementary viruses, , but NAT is not enough to compensate for a Firewall, because you cannot specify rules for NAT, only what is mapped/forwarded (but I may just be talking out of my *** here).
As always take what I say with a pinch of salt, though.....
March 13th, 2006, 01:34 AM
Thank you very much, you are helpful
I would strongly dissagree, heres the deal NAT (static or dynamic) is a one-to-one translation meaning that if you NAT a device behind the router you tottaly just mapped that backend device to the public address and everything can come right into that box so you better have a firewall. So lets say they use the correct terminology which is PAT (or address overloading) which hides your IP address from the internet only when there is no connections out, once you open a connection to the internet (like open IE to google or whatever) PAT makes a dynamic map conection from that port to your PC (basicly you are port forwarding everything from the public address and the port its using to the backend client unlike NAT that passes all the ports to the single backend box) now anyone can scan your router and get directly to your PC through that port. a packet filtering firewall (like an ACL) will block traffic from a certain source or destination ip address or port so basicly suxxors. Unlike NAT and packet filtering firewalls A stateful inspection firewall will watch the TCP session and will only allow responses back in from the host you initiated the session with so even if someone sees the port open the firewall will drop the hackers initiating TCP SYN request from coming in as he is not part of a TCP session you initiated. with UDP it uses a timer since there is no session to track. firewall 101.
Last edited by juniperr; May 23rd, 2006 at 04:16 PM.