[120174] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

daemon@ATHENA.MIT.EDU (Joe Greco)
Fri Dec 11 09:35:03 2009

From: Joe Greco <jgreco@ns.sol.net>
To: cmadams@hiwaay.net (Chris Adams)
Date: Fri, 11 Dec 2009 08:34:08 -0600 (CST)
In-Reply-To: <20091211141057.GB1269284@hiwaay.net> from "Chris Adams" at Dec
	11, 2009 08:10:57 AM
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

> Once upon a time, Joe Greco <jgreco@ns.sol.net> said:
> > Everyone knows a NAT gateway isn't really a firewall, except more or less
> > accidentally.  There's no good way to provide a hardware firewall in an
> > average residential environment that is not a disaster waiting to happen.  
> 
> I don't think hardware vs. software makes a "real" firewall.  A NAT
> gateway has to have all the basic functionality of a stateful firewall,
> plus packet mangling.  Typical home NAT gateways don't have all the
> configurability of an SSG or such, but the same basic functionality is
> there.

You can blow away the firmware of your NAT gateway and load something
like DD-WRT.  This gives you a hardware firewall (an external hardware 
device that acts as a deliberate firewall; i.e. you can firewall 1.2.3.4
from 5.6.7.8).  It is not filtering packets in silicon, which is an
alternate definition for "hardware firewall" that many in this group 
could use, but in common usage, it is the distinctness from the protected
host(s) and the ability to implement typical firewalling rules and
methods, with or _without_ NAT, that makes it a "hardware firewall."

Your existing NAT gateway firmware may well be based on Linux and may
have portions implemented by a Linux firewalling subsystem, but in most
cases, you cannot really drill down to any significant level of detail,
and quite frequently the main "anti-forwarding" protection offered is
simply the difficulty in surmounting the artificial barrier created by
the NAT addressing discontinuity.  While this might technically count as
"the same basic functionality," functionality that cannot be accessed or
used might as well not be there for the purposes of this discussion.  So
I'll pass on considering your average NAT gateway as a "hardware
firewall."

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.


home help back first fref pref prev next nref lref last post