Re: 56k dial up on laptop 802.11G ?

On Wed, 27 Jul 2005 20:17:11 GMT, Duane Arnold <notme@xxxxxxxxx>
wrote:

>And I agree to disagree here about NAT. NAT is not FW software.

Well, that depends on whether you subscribe to my definition of a
firewall. The way I understand the moving target definition, a
firewall is literally anything that defends your network against
external attack. It could be a guard dog that's trained to sniff
hostile packets and bark when they appear. Whatever works.

>By comparing the way NAT functions between two networks, and the way
>packet screening methods function between two networks, you can see that
>NAT does not adhere to the firewall definition.

Agreed, by your definition that's correct. However, I don't subscribe
to your definition of a firewall, which describes how a firewall
operates, without recognizing what a firewall does. It's a rather
fine distinction and subject to considerable creativity in
interpretation. However, I don't see any reason you couldn't be more
specific in the type of firewall by adding the appropriate qualifier.
NAT firewall
SPI firewall
packet filter firewall
bastion host firewall
dual bastion host with DMZ firewall
proxy server firewall
barking guard dog sniffer firewall
Depending upon whom you ask, all or some of these are considered
"true" firewalls.

>NAT does not control
>access between the networks. Some may argue that NAT does control access
>because you cannot "see" the internal network. NAT does this not by using
>rules or filters, however, but through concealment. It hides the network
>from outside users.

That's what I was going to say. If you can't "see", "access", or
"hack" my LAN, it must have some kind of firewall protecting it. How
it does the job is irrelevant. It's still a firewall.

Actually, there's another problem. If an NAT firewall is not a real
firewall, what is it? To the best of my knowledge, there's no trade
name or function definition for NAT other than "NAT firewall". Did I
miss (or forget) one?

Incidentally, please cite the source if you're going to quote, borrow,
plagiarize, or paraphrase. I've seen far too many partial quotes
taken out of context.

>Packet filtering firewalls allow a direct connection to be made between
>the two endpoints.

Absolute baloney. There's nothing in a firewall that connects
anything. It's the router function that provides the end to end
connection. The firewall doesn't connect anything. There are purists
that will proclaim that NAT is an abomination because it breaks the
end to end connection definition required for "real" TCP/IP
networking. I don't subscribe to this exception, but you won't have
much trouble finding people that agree.

>Although this type of packet screening is configured
>to allow or deny traffic between two networks, the client/server model is
>never broken.

Right. Now, how does this differ *in* *FUNCTION* with an NAT
firewall? As far as I can determine, they serve exactly the same
purpose. Again, it really depends on whether you subscribe to my
functional definition. Apparently you do not.

>And I consider the FW appliance to out class the packet filtering NAT
>router with SPI, because the FW appliance's architecture resembles the
>packet filtering router and dual-homed Gateway architectures and is able
>to look at a deeper level along with other things like actually breaking
>the client/server model between two end points, providing services etc.

I'll happily discuss the relative merits of various firewall
architectures if you want. However, that's not the current issue.
It's whether an NAT firewall is considered a "real" firewall and
whether the WRT54G is a "real" firewall. Floyd and I say they are and
you say they're not.

>However, I got nothing against NAT routers. They are a good first line of
>defense, until you start doing high risk things like port forwarding.

There's other ways of breaking NAT firewalls. Spoofing source
addresses that appear to be coming from inside the firewall are a good
start. Automatic port forwarding, as in Universal Plug-n-Play is
another fundamental security problem. Yeah, they're not the greatest
but it doesn't take much to make them secure enough for home use.

>There is something to be said about book and practical knowledge I use
>them both and I have been doing so since 1971 when I first entered the
>computer industry.

Well, I did battle with my first computah in about 1965 with the IBM
1620. I then graduated to the 7090 and 1140. When IBM wouldn't hire
me as a customer engineer, I switched to radio and didn't get back
into computahs until about 1976 with various timeshare services. The
first PC was an Apple ][, Apple III, TRS-80 (various models), Vic-20,
assorted S100 kludges, and finally, in 1981, I bought the first IBM PC
to be sold out the door at the Santa Clara Computerland. In 1983, I
celebrated getting fired from a job by declaring myself a consultant
simultaneously in RF and computers, which I've been doing through
today. There were a bunch of diversions in there, but they have
little to do with RF or computers.

>BTW, Linux is not the greatest thing since *Air, Water and Fire*. ;-)

What makes you think I'm a Linux fanatic? My forte is SCO Unix
OpenServer 5, ODT 3.2v4.2, and Xenix. I are not a programmist. I'm
doing Linux because it's a good fit for most of my customers, because
I'm greedy and can get it free, and because SCO did some really
politically incorrect things. If you dive into comp.unix.sco.misc,
you'll find quite a bit of my postings. I didn't even bother with
alternative firmware for the WRT54G until Floyd convinced me it was
worth my time trying and learning.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# http://802.11junk.com
# jeffl@xxxxxxxxxxxxxxxxxxxxxx
# jeffl@xxxxxxxxxx AE6KS
.

Relevant Pages

  • Re: Linksys WRT54G and Firewall software
    ... but, if you take your laptop to other networks it ... The NAT does block incoming connections. ... The XP SP2 firewall does block all incoming connections when configured with no exceptions. ... That does not explain why the computer would need another firewall from the XP SP2 FW when it is connected to other networks. ...
    (comp.security.firewalls)
  • Re: suggestions on router w/firewall
    ... of using NAT, even with SPI, as a firewall method. ... describe standard NAT as a firewall service. ... That sentence refers to four concepts: NAT, router, simple packet filtering, ... created port table to packet header info, and NAT does change the packet. ...
    (comp.security.firewalls)
  • Re: Need Mac and PC Firewall S/W
    ... >> Exactly what equipment is Verizon providing? ... That would mean that you are behind a NAT firewall. ... > By comparing the way NAT functions between two networks, ...
    (comp.security.firewalls)
  • Re: home network behind NAT and firewall ?
    ... >> real Firewall appliance with more than 20 systems at any given time. ... >> firewall provides for the ability to assign both public (not nat) and ... that would reset the router and allow remote control - it was noted ... >> LAN inside their network and it would never have to reach the ISP's ...
    (comp.security.firewalls)
  • Re: NAT vs. True Firewalls
    ... not just mean packet filter. ... A firewall can be made up of one or more ... components that can block or filter protocol traffic between two networks. ... So a NAT can be as much part of a firewall implementation as the ...
    (comp.security.firewalls)