Firewall Fundamentals

Many broadband routers and firewalls function primarily through the use of Network Address Translation (NAT) to hide the internal systems behind a single external IP address. These so-called "NAT routers" or "NAT firewalls" do an adequate job of hiding resources from casual attack methods, but they do not perform advanced firewall functions; therefore, it is really a bit of a misnomer to call them firewalls, at least in the sense that firewalls such as the Cisco Secure PIX Firewall, Microsoft ISA Server, and Check Point Firewall-1 products are considered firewalls. Rather, many broadband routers and firewalls are just NAT-based packet-filtering routers providing a degree of privacy, but they typically lack advanced firewall features such as stateful packet inspection (SPI), proxying of data, or deep packet inspection.

Figure 5-1 shows the NAT process.

Figure 5-1. How NAT Works

The steps numbered in Figure 5-1 can be further explained as follows:

1.

The client initiates a connection to an external host (HostB).

2.

The broadband router/firewall receives the request and translates the request from the internal IP address to the address of the router/firewall's external interface. The router/firewall keeps track of this translation in a translation table.

3.

The packets are delivered to the external destination (HostB), which believes that the packets originated from the external IP address of the router/firewall. The external host (HostB) responds accordingly to the external IP address of the router/firewall.

4.

When the router/firewall receives the response from the external host, it checks its translation table for a matching outbound request.

5.

If it finds one, the router/firewall repackages the packet and delivers it to the internal host (HostA), which thinks that the response is from the external host (HostB).

In addition, most broadband routers/firewalls are designed not to permit any unsolicited packets from an external host to be delivered to an internal host.

Although this is generally an adequate level of protection for most home environments, it is important to understand that reliance on NAT alone to protect hosts is a false sense of security because NAT does not guarantee security in and of itself, as noted in RFC 2663 Section 9.0. For example, NAT devices are as susceptible to targeted attacks, such as denial-of-service (DoS) attacks, as non-NAT devices. NAT also provides for no actual filtering of packets leaving the internal network; instead, it permits all outbound traffic as long as it can be translated accordingly. Although it is a subtle difference, NAT provides more privacy than it does security.

Therefore, only when used in conjunction with other technologies can NAT serve as an effective security mechanism. The best broadband routers/firewalls (for example, many of the Linksys broadband firewalls) include application-level filtering, deep packet inspection, SPI, firewall hardening, and NAT.

Категории