How effective are NAT hardware firewalls?

Factual Questions
1

I asked this question some time ago but it was incunclusive and technology and hacking marches on.

I currently use a Linksys dsl/cable switch (hub, router, whatever) to network 3 computers together and to the net. I occationally install zone alarm just to check then uninstall it. I have also tried sites that try to hack you to test your defenses. When I tested it couldn’t get anywhere (ports were stealthed), If I put my computer in the DMZ then the site could see my printer and drives but couldn’t access them w/o a password.

So am I safe with just the hardware firewall? I realize it makes me vonerable to trojan horse programs that try to connect from the outside but what I want to know is is this linksys switch and effective firewall against outside attacks?

2

The Linksys router (hubs and switches are different animals) will do just fine. It will block any incoming connections unless you explicitely set up port forwarding, so there’s no danger from things trying to connect from the outside.

3

First of all, the Linksys device is likely a router, with a five port ethernet switch (although, perhaps a hub). None of that is particularly relevent. But it is NOT a hardware firewall.

Sure, it does some firewall-type things, such as NAT, but most folks wouldn’t describe your setup as having a hardware firewall.

friedo’s post probably should have mentioned that if you put the computer in the DMZ, then you will need a firewall.

As long as your computer has a private network address (such as anything along the lines of 192.168.x.x or 10.x.x.x), then your computers cannot be accessed from the Internet, unless you have specifically configured port forwarding.

If you put a computer in the DMZ with a public IP address, relying on your operating system’s password protection is asking for trouble. You should at least keep a software firewall on this machine, running all the time.

You mention trojans. Zonealarm will alert you to any program that attempts to establish a connection to an Internet host from your machine. This is very valuable, not only to trojans (which anti-virus software may catch), but also for spyware. I recommend that you run Zonealarm, or a comparable software firewall, on each machine that accesses the Internet.

4

Boy, I feel like a moron. Would somebody please tell this CCNA what “DMZ” stands for?

I’ve searched on the web and all I can come up with is “De-Militarized Zone” and “Dance Music Zone.”

5

De-Militarized Zone is the correct reference, sorry.

It became a popular networking term to reference network segments that were on premises but not behind the firewall. In that manner, it is synonymous with the military-type definition.

6

It does stand for De-Militarized Zone. Basically it’s warning you that you are putting your computer out there beyond the front line so to speak or on the other side of the firewall.

AZCowboy So what your saying is (if I understand you):
1 the linksys device is not a hardware firewall although it says so on the box.
2 it does however prevent any external connection (as long as it’s not in port fwd or dmz)
3 not effective against trojans (I knew this one already)

So except for internal attacks what will a hardware firewall do that this doesn’t?

BTW it is a router with a 4 port switch

7

And since you are an CCNA, and asking more to learn, I should offer a little more…

Over time, many firewall vendors have added a DMZ port to their firewalls. In these cases, it hard to generalize about whether something is “behind” the firewall, in front of it, or simply beside it.

But what can be said generally, is that the DMZ is a segment which receives less security than the internal network. It is where you normally would place servers that are intended to be accessed from the Internet, such as a mail server or web server.

This helps with configuring policy on the firewall. You might deny all web requests to the internal network, but allow all web requests to the DMZ (from internal or Internet). You may deny all management port requests from the Internet, and allow management port requests from the Internal networks.

But since DMZ hosts are more subject to attack and compromise, you would probably limit their ability to initiate requests into the internal network.

Hope that helps.

k2dave, I’m not surprised to learn that the Linksys device calls itself a firewall. I simply call that marketing. Since it does NAT (network address translation), and some people (not me) consider that a firewall function, they get away with it. There isn’t a standard definition of “firewall” in the industry, so I may be a bit harsh.

For me, a firewall doesn’t even need to perform NAT, but it must do one of two things: 1) stateful inspection, or 2) proxy. In one sense, the Linksys does maintain state (for port forwarding, for example), but doesn’t maintain state for the purpose of inspecting the contents of packets and rejecting packets that fail some configured policy. And it is unlikely to be acting as a proxy server for you.

If you post the model number, I’d be glad to look up some of its specific functionality. I’m no expert on the Linksys product line, maybe they’ve added a true firewall (but I doubt it).

8

IF the last post web site went through - ignore it - use this one instead
http://www.linksys.com/products/product.asp?grid=23&prid=20

9

Thanks for the info, guys.

10

AZCowboy:

The Linksys devices do act as a firewall and do more than just NAT. They have stateful packet inspection – how good it is I don’t know. The earlier firmware did not. And the fact that they do NAT along with source verification make them fine for the vast majority of users.

11

sigSEGV, from my review of the product literature, I do not see any reference to stateful packet inspection. All references to “firewall” are preceded with “NAT”, which leads me to conclude that it is not, at least in my definition, a firewall.

I will agree with you that for the vast majority of users, it is sufficient for protecting them from traditional hackers (but as we have already noted in this thread, not spyware, trojans, viruses, etc.)

The exception is if you are allowing a publicly accessible IP address behind the router (such as the DMZ function in this Linksys) OR if you have configured port forwarding. In those two cases, I believe you need something more. For those less technical, there is no reason for you to need either of these two cases, unless you are going to run a “server” - a system or application which accepts sessions initiated from out on the Internet. If you just browse the web, access your email through a web client, and maybe use an ftp client, you won’t have this need.

However, if you have applicaitons such as web or mail servers, multi-player Internet games, or video-conferencing software, you may need one of these two configurations. And some of the popular peer-to-peer file trading systems will require you to configure port forwarding for complete functionality. At that point, I would not recommend relying on one of these devices as a “firewall”.