Thursday, February 01, 2007
NAT is not a Firewall
My experience is quite dated here.
A NAT is a very basic firewall. You can specify which ports are open and where to route that traffic. When a machine access the Internet through a NAT, it's more protected than a machine that is not. It's one a few ports that are open and not every port.
To be consider a firewall however, you'll need to pass some security audits. You basic NAT will not pass this test. A NAT doesn't need to track the TCP state for open sessions. A NAT doesn't check if a new session for an application is coming from the correct source. A NAT doesn't check for DOS attacks or a security scans. A NAT box does not consider security very much.
Basically, a NAT is a firewall that's not secure enough to be call a firewall except by the most evil of marketer. Back in the late 1990s, some companies did market NAT as a firewall. Make sure your firewall is from a know security vendor(such as Cisco or Checkpoint) or has a ICSA or other recognized 3rd party certification. Best to google them to see what people say.
A NAT is a very basic firewall. You can specify which ports are open and where to route that traffic. When a machine access the Internet through a NAT, it's more protected than a machine that is not. It's one a few ports that are open and not every port.
To be consider a firewall however, you'll need to pass some security audits. You basic NAT will not pass this test. A NAT doesn't need to track the TCP state for open sessions. A NAT doesn't check if a new session for an application is coming from the correct source. A NAT doesn't check for DOS attacks or a security scans. A NAT box does not consider security very much.
Basically, a NAT is a firewall that's not secure enough to be call a firewall except by the most evil of marketer. Back in the late 1990s, some companies did market NAT as a firewall. Make sure your firewall is from a know security vendor(such as Cisco or Checkpoint) or has a ICSA or other recognized 3rd party certification. Best to google them to see what people say.
# posted by Mack @ 4:11 PM 
