RB

Distinguished
Apr 7, 2004
69
0
18,630
Archived from groups: comp.security.firewalls (More info?)

Does any router work as a hardware firewall? If not, what router label do I
look for to ensure the router I get will act as a firewall.

Seems I've heard of NAT routers. Is this one of the firewall routers?
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

RB wrote:

> Does any router work as a hardware firewall?

Nope. A router only does NAT (network address translation). Some people
classify NAT as a firewall, but it's not in my opinion. It's simply how a
router routes packets from external IP's (internet) to internal IP's (LAN).

> If not, what router label do
> I look for to ensure the router I get will act as a firewall.

Uh, the word "firewall" would do it for me....

>
> Seems I've heard of NAT routers. Is this one of the firewall routers?

No, NAT is how they work, Router is what the object is. I'd slap someone if
they told me they had a "NAT router". I'd be like "DUH!" A router without
NAT, how would that work? lol.
Look for something that says "firewall" router. That, or find an old
pentium 1 with 64mb ram and 1gb hdd and put Smoothwall 2.0 Linux on it.
Then it will act as a router AND a firewall AND a DHCP server (and DHCP is
another useful thing most routers do, but is not part of the "job
requirements" of a router).

--
Nobody wants constructive criticism. It's all we can do to put up with
constructive praise.
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

On Wed, 07 Apr 2004 01:38:42 -0600, NeoSadist <neosad1st@charter.net>
wrote:

>> Seems I've heard of NAT routers. Is this one of the firewall routers?
>
>No, NAT is how they work, Router is what the object is. I'd slap someone if
>they told me they had a "NAT router". I'd be like "DUH!" A router without
>NAT, how would that work? lol.

Uh, Cisco has made hundreds of thousands of routers without NAT.
Everything pre IOS 11.3 had no NAT. There are probably 1000 of them
running within 5 miles of you, unless you live in the sticks that is.

So slap me.
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

"RB" <rbig@bellsouth.nospam.net> wrote in message
news:QoNcc.3840$ZJ6.2609@bignews5.bellsouth.net...
> Does any router work as a hardware firewall? If not, what router label do
I
> look for to ensure the router I get will act as a firewall.
>
> Seems I've heard of NAT routers. Is this one of the firewall routers?
>

http://www.homenethelp.com/web/explain/about-NAT.asp

Linksys Dlink and others fall into the above category.

http://www.linksys.com/products/group.asp?grid=34&scid=29
http://www.dlink.com/products/category.asp?cid=2

http://www.firewall-software.com/firewall_faqs/what_is_a_firewall.html

WatchGuard SnapGear and others fall into the above category.

http://www.cdw.com/shop/search/Results.aspx?key=WatchGuard&platform=all&x=14&y=11
http://www.cyberguard.com/snapgear/

Duane :)
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

"NeoSadist" <neosad1st@charter.net> wrote in message
news:1077c0l4vjvo98d@corp.supernews.com...
> RB wrote:
>
> > Does any router work as a hardware firewall?
>
> Nope. A router only does NAT (network address translation). Some people
> classify NAT as a firewall, but it's not in my opinion. It's simply how a
> router routes packets from external IP's (internet) to internal IP's
(LAN).

Agreed - but some routers do have a full built firewall functions (e.g. a
cisco with firewall IOS), and since a firewall usually supports NAT as well,
you can get firewalls that do the same job as a SOHO router (e.g. a cisco
pix 501) - i just pick on cisco here as they are well known, and thats what
i work with most.
>
> > If not, what router label do
> > I look for to ensure the router I get will act as a firewall.
>
> Uh, the word "firewall" would do it for me....

firewall is one of those terms which gets abused - so better to decide what
you want and then look for the functionality rather than rely on the "F"
word.

there are lots of blurred edges here - some firewalls use stateful packet
inspection, some dont, others can scan for URLs and limit access, or watch
data within a transfer with IDS style inspection to try to pick up worms and
viruses.

The key difference is that a firewall should more or less block everything
that isnt explicitly allowed, and a router tends to allow everything that
isnt explicitly blocked - under those rules just about every SOHO router
isnt a firewall as they tend to allow any connection from inside to outside,
to minimise the amount of setup needed.
>
> >
> > Seems I've heard of NAT routers. Is this one of the firewall routers?
>
> No, NAT is how they work, Router is what the object is. I'd slap someone
if
> they told me they had a "NAT router". I'd be like "DUH!" A router
without
> NAT, how would that work? lol.

a bit of nit picking - NAT is usually only used for SOHO routers driving
internet links or in a hosting centre - most enterprise networks (and most
of the internet) is built from routers that are not configured for NAT.

> Look for something that says "firewall" router. That, or find an old
> pentium 1 with 64mb ram and 1gb hdd and put Smoothwall 2.0 Linux on it.
> Then it will act as a router AND a firewall AND a DHCP server (and DHCP is
> another useful thing most routers do, but is not part of the "job
> requirements" of a router).
>
> --
> Nobody wants constructive criticism. It's all we can do to put up with
> constructive praise.
--
Regards

Stephen Hope - remove xx from email to reply
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

shope wrote:

> "NeoSadist" <neosad1st@charter.net> wrote in message
> news:1077c0l4vjvo98d@corp.supernews.com...
>> RB wrote:
>>
>> > Does any router work as a hardware firewall?
>>
>> Nope. A router only does NAT (network address translation). Some people
>> classify NAT as a firewall, but it's not in my opinion. It's simply how
>> a router routes packets from external IP's (internet) to internal IP's
> (LAN).
>
> Agreed - but some routers do have a full built firewall functions (e.g. a
> cisco with firewall IOS), and since a firewall usually supports NAT as
> well, you can get firewalls that do the same job as a SOHO router (e.g. a
> cisco pix 501) - i just pick on cisco here as they are well known, and
> thats what
> i work with most.

But a router by definition doesn't need a firewall. A firewall is an
additional feature, not part of a router's job description.

>>
>> > If not, what router label do
>> > I look for to ensure the router I get will act as a firewall.
>>
>> Uh, the word "firewall" would do it for me....
>
> firewall is one of those terms which gets abused - so better to decide
> what you want and then look for the functionality rather than rely on the
> "F" word.

I know that.

>
> there are lots of blurred edges here - some firewalls use stateful packet
> inspection, some dont, others can scan for URLs and limit access, or watch
> data within a transfer with IDS style inspection to try to pick up worms
> and viruses.
>
> The key difference is that a firewall should more or less block everything
> that isnt explicitly allowed, and a router tends to allow everything that
> isnt explicitly blocked - under those rules just about every SOHO router
> isnt a firewall as they tend to allow any connection from inside to
> outside, to minimise the amount of setup needed.

Yes, they are diametrically opposed...

>>
>> >
>> > Seems I've heard of NAT routers. Is this one of the firewall routers?
>>
>> No, NAT is how they work, Router is what the object is. I'd slap someone
> if
>> they told me they had a "NAT router". I'd be like "DUH!" A router
> without
>> NAT, how would that work? lol.
>
> a bit of nit picking - NAT is usually only used for SOHO routers driving
> internet links or in a hosting centre - most enterprise networks (and most
> of the internet) is built from routers that are not configured for NAT.

I've yet to see a router without NAT, and/or use one, but then again....

>
>> Look for something that says "firewall" router. That, or find an old
>> pentium 1 with 64mb ram and 1gb hdd and put Smoothwall 2.0 Linux on it.
>> Then it will act as a router AND a firewall AND a DHCP server (and DHCP
>> is another useful thing most routers do, but is not part of the "job
>> requirements" of a router).
>>
>> --
>> Nobody wants constructive criticism. It's all we can do to put up with
>> constructive praise.

--
Maintainer's Motto:
If we can't fix it, it ain't broke.
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

Steevo@my-deja.com wrote:

> On Wed, 07 Apr 2004 01:38:42 -0600, NeoSadist <neosad1st@charter.net>
> wrote:
>
>>> Seems I've heard of NAT routers. Is this one of the firewall routers?
>>
>>No, NAT is how they work, Router is what the object is. I'd slap someone
>>if
>>they told me they had a "NAT router". I'd be like "DUH!" A router
>>without NAT, how would that work? lol.
>
> Uh, Cisco has made hundreds of thousands of routers without NAT.
> Everything pre IOS 11.3 had no NAT. There are probably 1000 of them
> running within 5 miles of you, unless you live in the sticks that is.
>
> So slap me.

I'll slap you if you don't give me a link so that I may broaden my
understanding of why anyone would want a router without NAT.... :D

--
Jenkinson's Law:
It won't work.
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

Hi RB !

I have a full fleshed firewall router (with SPI) TW100-BRF104 from
TrendNet - and it's great and isn't expensive !

http://www.trendnet.com/en/products/TW100-BRF104.htm
www.trendnet.com

Søren

"RB" <rbig@bellsouth.nospam.net> wrote in message
news:QoNcc.3840$ZJ6.2609@bignews5.bellsouth.net...
> Does any router work as a hardware firewall? If not, what router label do
I
> look for to ensure the router I get will act as a firewall.
>
> Seems I've heard of NAT routers. Is this one of the firewall routers?
>
>
>
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

In article <QoNcc.3840$ZJ6.2609@bignews5.bellsouth.net>,
rbig@bellsouth.nospam.net says...
> Does any router work as a hardware firewall?

Routers are not firewalls and only have limited ability to protect your
systems. If routers worked as firewalls they would be firewalls, not
routers.

> If not, what router label do I
> look for to ensure the router I get will act as a firewall.

If you want a firewall you need a product that is a firewall, not a
router with NAT. A firewall will block both Inbound and Outbound traffic
unless you create rules to permit it. A firewall may also perform
routing functions including NAT.

A typical SOHO Firewall appliance will cost about $350, a typical NAT
router will cost about $50.

Firewalls may also have the ability to filter content of web pages and
email so that you can strip out Active-X and email attachments before
they make it to your workstations or email server - routers don't do
that.

> Seems I've heard of NAT routers. Is this one of the firewall routers?

There are several NAT routers that use the word "Firewall" in their
description, but they are not firewalls, they are NAT devices with one
or two firewall like features built into them.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

On Wed, 07 Apr 2004 11:42:21 -0600, NeoSadist spoketh


>>
>> a bit of nit picking - NAT is usually only used for SOHO routers driving
>> internet links or in a hosting centre - most enterprise networks (and most
>> of the internet) is built from routers that are not configured for NAT.
>
>I've yet to see a router without NAT, and/or use one, but then again....
>

If you haven't seen a router without NAT, then your experience is
limited to the socalled "broadband" routers.

Professional grade routers may have NAT as an option, but it's only used
under special circumstances.


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

"NeoSadist" <neosad1st@charter.net> wrote in message
news:1078fdnoo2af711@corp.supernews.com...
> Steevo@my-deja.com wrote:
>
> > On Wed, 07 Apr 2004 01:38:42 -0600, NeoSadist <neosad1st@charter.net>
> > wrote:
> >
> >>> Seems I've heard of NAT routers. Is this one of the firewall routers?
> >>
> >>No, NAT is how they work, Router is what the object is. I'd slap
someone
> >>if
> >>they told me they had a "NAT router". I'd be like "DUH!" A router
> >>without NAT, how would that work? lol.
> >
> > Uh, Cisco has made hundreds of thousands of routers without NAT.
> > Everything pre IOS 11.3 had no NAT. There are probably 1000 of them
> > running within 5 miles of you, unless you live in the sticks that is.
> >
> > So slap me.
>
> I'll slap you if you don't give me a link so that I may broaden my
> understanding of why anyone would want a router without NAT.... :D

Ref design for large scale router networks (cisco)
http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/nd2003.htm

lots more stuff there if you want to follow this up.

>
> --
> Jenkinson's Law:
> It won't work.
--
Regards

Stephen Hope - remove xx from email to reply
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

On Wed, 07 Apr 2004 11:42:58 -0600, NeoSadist <neosad1st@charter.net>
wrote:
>Steevo@my-deja.com wrote:
>> Uh, Cisco has made hundreds of thousands of routers without NAT.
>> Everything pre IOS 11.3 had no NAT. There are probably 1000 of them
>> running within 5 miles of you, unless you live in the sticks that is.
>>
>> So slap me.
>
>I'll slap you if you don't give me a link so that I may broaden my
>understanding of why anyone would want a router without NAT.... :D

Nat is a new-fangled idea. Not needed until they got so cheap with
IPs.
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

>> Nope. A router only does NAT (network address translation). Some people
classify NAT as a firewall, but it's not in my opinion. It's simply how a
router routes packets from external IP's (internet) to internal IP's (LAN).

Neo:

Router and NAT are two different concepts.
Router: does routing between two subnets via DA (destination address) and a
route table (OSI layer 3 only).
NAT as we use it: does one-to-many address translation via matching to a
port table (OSI layers 3 & 4).

And a stateless firewall: does packet filtering via packet header values
(OSI layers 3 & 4).

The problem is liberal usage of the word "router".

My Netgear RT314 "router" provides the functionality of all of the
following:
Router
NAT
Inbound and outbound stateless firewall rules on both interfaces

Note that I have used the RT314 with NAT disabled and it works as a basic
router, it allows communication between two subnets.
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

In article <r9n970po5q06m5jtktjrnpljhdmah78pif@4ax.com>, steevo@my-
deja.com says...
> On Wed, 07 Apr 2004 11:42:58 -0600, NeoSadist <neosad1st@charter.net>
> wrote:
> >Steevo@my-deja.com wrote:
> >> Uh, Cisco has made hundreds of thousands of routers without NAT.
> >> Everything pre IOS 11.3 had no NAT. There are probably 1000 of them
> >> running within 5 miles of you, unless you live in the sticks that is.
> >>
> >> So slap me.
> >
> >I'll slap you if you don't give me a link so that I may broaden my
> >understanding of why anyone would want a router without NAT.... :D
>
> Nat is a new-fangled idea. Not needed until they got so cheap with
> IPs.

It's been around for a LONG time. No one is getting "cheap" with IP's,
just having to ration them out to people that really need them instead
of people that just like the idea of having a full class-c subnet for
fun. A basic T1 still comes with 64 IP without justification in most
parts of the US.

NAT makes managing a company network a lot easier and safer if
implemented correctly too.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
 

Mike

Splendid
Apr 1, 2004
3,865
0
22,780
Archived from groups: comp.security.firewalls (More info?)

"NeoSadist" <neosad1st@charter.net> wrote in message
news:1077c0l4vjvo98d@corp.supernews.com...
>
> No, NAT is how they work, Router is what the object is. I'd slap someone
if
> they told me they had a "NAT router". I'd be like "DUH!" A router
without
> NAT, how would that work? lol.

It would work a bit like a router not using Network Address Translation
ROFL!. The ethernet interface has the same ip address(es) as the WAN
interface. Not uncommon.