Ben;
My company has introduced a product very similar to what you have
described in this post.
The URL is; http://www.mfilter.net
Thought you might be interested.
Rusty
Ben Nagy wrote:
>
> > -----Original Message-----
> > From: Reckhard, Tobias [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, 23 February 2001 3:56
> > To: Firewalls Mailing List (E-mail)
> > Subject: RE: To NAT or not to NAT?
> >
> >
> > Cheers, Ben. <raises glass>
> >
> > > > NAT definitely does not add *fine* security. IMHO, it doesn't
> > > > help you any
> > > > more than a stateful packet filter.
> > >
> > > I'd argue that, in theory, it also doesn't help you any
> > less. I'm more or
> > > less happy to use just NAT for low threat sites. I usually configure
> > > filtering rules as well, but they're only there to keep me
> > in the habit.
> > >
> > True, to perform NAT you need to do the same as in a stateful
> > packet filter,
> > so they're pretty much equal in potential protection.
> > However, what is more
> > important than the technology itself is how it is
> > implemented. [...] I would still place filtering rules on the outside
> > interface, no
> > matter what. Maybe that's overdoing it, I dunno, but it makes me feel
> > better--is that already on the same level as the warm fuzzies the
> > pointy-heads get?
>
> I must admit, I always filter as well. I should probably qualify my own NAT
> opinions - I've only ever used Cisco NAT. It's still vaguely buggy in some
> areas, but they've been doing NAT for a DAMN long time now, and I'm pretty
> happy with it overall.
>
> > And I am rather suspicious that the post that set this thread
> > off is talking
> > about a "NAT as the only form of security" approach, with a
> > configuration of
> > the sort I describe above.
>
> "Anything out" is a reasonable security posture for lots of places - for
> example, I think IT businesses with a consulting arm etc should have that
> sort of policy, with internal firewalls to protect critical bits. We don't,
> for example, and it sucks pretty badly when I need to test things.
>
> [...]
> > Add to that
> > that ALGs are often written with security in mind, while that
> > can't be said
> > of NATs,
>
> Depends on the implementation, I guess. I agree that many NAT devices aren't
> neccessarily security focussed.
>
> [...]
> > I don't
> > generally favour the
> > one-box solution, so I try to design firewall systems with
> > choke routers
> > (aka paket filters) and separate ALGs (on 'hardened' hosts
> > with packet f
> > iltering, etc. in place) in one or more DMZs.
>
> Yeah - that's my favourite architecture as well. Too bad it's not a
> "commercial reality" for many places. The only way you can build decent,
> multi-box systems at the moment is with free software, and the lack of
> support rules it out for too many enterprises. Single person support, or
> even single-large-organisation is not enough to hang a business on (they
> claim).
>
> Have I ranted recently about how I want someone to pony up VC for a company
> that packages best-of-breed open source solutions and teams it with real
> support? Maybe we can buy djb, Darren Reed and Theo. ;)
>
> I can see it now... A few nice 1RU servers, whack in a few DMZs, have a nice
> security zone model, djbdns, postfix, some bridge-mode snort sensors,
> ipfilter to taste - we can even throw in Paul Robertson's idea about running
> all HTTP access as VNC sessions to a hardened browsing host to stop HTTP
> trojans. Then we support it all with a high level policy language and an
> object-modelled control paradigm, running over OpenSSH links for external
> support and monitoring.
>
> Wait - I'm dreaming at work again!
>
> Oh, I should toss in a "really, really NOT the opinions of my employer"
> disclaimer about here. ;)
>
> > This may be
> > overkill for a
> > small shop, in which case I'd probably use OpenBSD or Linux on an x86
> > platform and use packet filtering in conjunction with ALGs.
>
> I will not use Linux for anything to do with security. OpenBSD for me -
> FreeBSD or Solaris in a pinch.
>
> [...]
> > > None of your arguments support your conclusion here, sorry.
> > You may as
> > > well
> > > say that stateful filtering is a weak element of security.
> > >
> > > Of course, if you _are_ saying that, I apologise, and agree.
> > >
> > Well, I'm not saying that flat out. I am of the opinion that
> > SPF/NAT alone
> > does not provide the level of security I prefer. [...] I may have
> > gone over the edge or at least rather close to it in my last
> > post, but this
> > is the reason I advise against NAT as a (or often the only)
> > security measure
> > when newbies ask about it.
>
> Fair enough. I think the only point I'd make (as I've said before) is that
> not everyone needs real security. As long as they have made an _informed_
> risk-based decision, I'm happy.
>
> >
> > > I'm not picking on you here,
> > >
> > And you don't sound it.
>
> Yeah, I'm being extra-nice for a while after I offended that Cisco chap a
> while back in the IPSec / NAT thread. >;)
>
> [...]
> >
> > In any case,.. um.., yeah, that's it.
> >
> > Tobias
>
> Cheers,
>
> --
> Ben Nagy
> Network Security Specialist
> Marconi Services Australia Pty Ltd
> Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
