ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

NATs are NOT Firewalls

2003-06-18 16:08:54
from [Tomson Eric \(Yahoo.fr\)] [Permanent Link] 
First of all, for the purists : I apologize for this simplified explanation
of what firewalls are. I guess we could start a very long thread about
firewalls and NATs, but the idea is to give a (somewhat) short answer (maybe
over-simplified) to some short questions asked by Simon Woodside (see
bottom).
-------------

There is not ONE firewall. A firewall is not a product, it's more like a
concept. The idea of a firewall is to build a protecting wall between an
external (public) network and an internal (private) network, by granting or
denying incoming/outgoing packets based on specified/configured
rules/policies. In the real world, there are different kinds of firewalls.

Compared to the OSI or TCP/IP layers, firewalls can work at different
layers.

There are mainly :
1.packet filters (analyze the IP packet and identify the IP addresses and
port numbers, then apply a set of rules),
2.circuit level gateways (work mainly at session layer, by identifying flows
of data and established connections),
3.application level gateways or proxies (application specific : http, ftp,
telnet,... with possible extended features, like caching possibilities,
logging of user activity,...), and
4.stateful inspection firewalls (more recent, combinations of types 1. 2.
and 3., more performant than 1. and 2., less complex than 3.).

A simple router, using access lists based on the IP addresses, analyzing
each packet one by one, is a basic firewall of type 1.
A more advanced device, able to identify "conversations", "sessions", is a
bit more advanced firewall of type 2.
A complex software, configured to analyze the addresses, the port numbers,
the protocols in use, possibly the contents of the applications data, is a
very complex firewall of type 3.

A basic router (not a firewall) will "transparently" interconnect different
networks, maintain routing tables, and advertise those tables to its
neighbors.
A NAT will "mask" the internal addresses, only maintain its own private
translation table, and not transmit it to any other device.

A Network Address Translator will usually translate "n" public, official IP
addresses into "n" private, internal IP addresses and keep the current port
numbers unchanged.
A Network Address and Port Translator will usually translate ONE public,
official IP address into SEVERAL private, internal IP addresses by
translating the external port numbers to correspond to the different
internal combinations of <network address + port> (external packets will
only transport ONE IP address - the public, official one).

Pure NATs will only translate network addresses. PATs and NAPTs will
translate port numbers, too. In no case will any of them translate the
protocols - that would prevent clients and servers from understanding each
other (a web client with a telnet server, etc.).

NATs will mask the internal addresses from outside view, but won't use
policies, control the traffic, perform authentication, or prevent spoofing :
NATs ARE NOT FIREWALLS!!!

On the other hand, circuit level gateways and application level gateways
transparently perform address translation!!! The addresses of the internal,
private network are masked from outside view!
Packet filters and stateful inspection firewalls don't translate IP
addresses and port numbers.

So, in short :
1/ a NAT is not equal to a firewall, it's not a firewall! Some firewalls DO
perform Network Address Translation, but NATs DO NOT perform firewalling!
2/ the main, primary purpose of a NAT is to use a limited set of public
(external) IP addresses and make them correspond to a wider range of private
(internal) IP addresses, in order to make savings, either in terms of IPv4
addresses, or because it's simply cheaper than buying several public IPv4
addresses. Now, the fact that masking the internal addresses to the external
world - so that internal hosts can initiate traffic to the outside, but no
external host can initiate traffic to the inside - brings some basic
security, is an interesting corollary, but not the primary objective of a
NAT.

Hope this helps. And sorry again for the purists. ;)

E.T.
ICT Consultant and Trainer.
Member of IEEE, IPv6 Task Force, ISOC, PIR.

=>-----Original Message-----
=>From: owner-ietf(_at_)ietf(_dot_)org [mailto:owner-ietf(_at_)ietf(_dot_)org] 
On 
=>Behalf Of S Woodside
=>
(...)
=>
=>This sounds like you are equating a NAT box with a firewall, which 
=>seems to be common.
=>
=>I would like to know:
=>- Is a NAT box a protocol enforcement point?
=>- is it an EFFECTIVE protocol enforcement point?
=>- is a NAT a firewall? (many people seem to think it is ...)
=>- is a firewall a protocol enforcement point? (yes)
=>- does a protocol enforcement point, have to include a NAT?
=>- does an EFFECTIVE one have to include a NAT?
=>- is it even EASIER to enforce protocol issues with a NAT as 
=>opposed to 
=>other means?
=>
=>simon
(...)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: myth of the great transition (was US Defense Department forma lly adopts IPv6), Putzolu, David
Next by Date:  RE: myth of the great transition (was US Defense Department forma lly adopts IPv6), Fleischman, Eric
Previous by Thread:  Re: myth of the great transition (was US Defense Department forma lly adopts IPv6), S Woodside
Next by Thread:  Re: NATs are NOT Firewalls, S Woodside
Indexes:  [Date] [Thread] [Top] [All Lists]