IT Employment

General discussion


NAT vs. Firewall

By jlewis(at) ·
Many clients are strictly using NAT in place of a firewall. What is the easiest way to explain to them that they should have a firewall in addition to NAT?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Different Functions

by Oldefar In reply to NAT vs. Firewall

Clients who think NAT suffices as a firewall have a misunderstanding of these two functions.

Think of NAT as the old mailroom at a corporation. Inbound packages coming to the corporate address is reviewed and the mailroom adds the recipient's cube number for inside delivery. Packages arriving without a valid recipient are simply discarded. Outbound packages pass through the mailroom to the appropriate letter carrier or shipper. NAT performs the same function with inbound and outbound packets.

Now add a security element to the mailroom. Inbound packages get run through an x-ray machine and bomb detection process. Contents are examined to insure no harmful or prohibited items. The return address may be checked and if the packageis from a particular address or location, it may be blocked. Having passed through security, the mailroom adds the recipient's cube number for inside delivery. Outbound packages are likewise run past security. Packages destined to certain addresses, or containing certain items, are blocked and returned to the inside sender. His manager receives a report as to what was blocked and why. This is the function a firewall performs on packets inbound and outbound to the company.

Collapse -

Very nice explanation

by LordInfidel In reply to Different Functions

I think I may have to borrow that one.

A step further.

NAT does offer some natural protection just based on it's design. However, it does not prevent outbound security.

Also NAT alone does not prevent ICMP floods, Malformed packets, etc. A carefully crafted packet can traverse the NAT device and gain entrance into the network.

A filtering device is *always* needed. Regardless if NAT is used or not.

I personally do not even give people the choice to decide.

Collapse -

Great posts guys

by TomSal In reply to Different Functions

Both oldefar and LordInfidel (who many times have found his posts very informative and helpful) -- excellent information.

One of the better series of posts I've seen on this forum in ages.

Collapse -


by colin In reply to NAT vs. Firewall

Good way of explaining it!!

Related Discussions

Related Forums