Firewalls: RE: Cisco's PIX firewall

Firewalls
(November 1996)

Indexed By Thread: [Previous] [Next]

Subject:	RE: Cisco's PIX firewall
From:	Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Date:	27 Nov 96 13:37:03 EDT
To:	Russ <Russ . Cooper @ RC . on . ca>
Cc:	firewalls <firewalls @ GreatCircle . COM>, "'Ryan Russell/SYBASE'" <Ryan . Russell @ sybase . com>

I think perhaps you misunderstood my two cases..

In case number two, where you say that inside hosts
(like an SMTP server) have no protection...true.  That's
case number one.  NAT does offer some security for
hosts doing the many-to-few address translation thing.
The NAT box I'm most familiar with (firewall-1) will
do some extra things when doing one-to-one NAT,
such as not allowing a duplicate reply in, etc..
Not sure why this would help security in any way,
but what the heck.. NAT does do a little more than
just plain access-lists on a router..

As far as the case you mention, there isn't any really good
way to firewall services that you WANT outside people
to get at.  You could have a proxy in the middle, but then
you might as well have a well-written server process
to begin with.  It's about the same exercise.  The
modularity might be useful with that arrangement though..
might allow inside people to access everything, and outside
people less access...but I would recommend against have 
machines truly "inside" offering public services.

    Ryan

---------- Previous Message ----------
To: firewalls, Ryan.Russell
cc: 
From: Russ.Cooper @ RC.on.ca (Russ) @ smtp
Date: 11/27/96 06:23:38 AM
Subject: RE: Cisco's PIX firewall

Ryan said...
>NAT gives security for two kinds of hosts:
*
1. Public hosts...<snip>..."NAT is not really needed in this case, nor 
does it add much security by itself."...<snip>
*
2. Internal hosts...<snip>...stuff about no one-to-one mapping...but 
there is a one-to-one mapping to anything that is inside a NAT and is 
going to accept inbound connections...like an internal SMTP server for 
example. Then there's the fact that once an internal host makes a 
connection through a NAT, it can then be tampered with as if there was 
no NAT.
*
If someone asked me what security NAT provides, I'd say none at all. 
Firewall-1 and PIX offer security, and, they offer NAT. NAT is not a 
security product, it may obscure things, but it protects nothing by 
itself.
*
Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security Consulting
mailto:Russ .
 Cooper @
 RC .
 on .
 ca <-- *note the new address*

Indexed By Date	Previous:	Re: Looping TRACERT? From: chrisp @ optimation . co . nz (Chris Palmer)
Indexed By Date	Next:	How to secure a Webpage? From: Stewart Shinewald <stewarts @ cul . ca>
Indexed By Thread	Previous:	Re: Re[2]: Cisco's PIX firewall From: Matthew Howard <mhoward @ cisco . com>
Indexed By Thread	Next:	Checkpoint and Virtual Interfaces From: Jason Vagner <jlv @ sig . bsh . com>