On 22 Jul 99, at 11:55, Ludovic d'Anchald wrote:
> And what about "NAT" (Network Address Translation) ? In our Company, we
> use WinRoute, which is a rather cheap and efficient way to share an
> Internet connection (actually, it makes the PC a router I guess), and it
> does perform NAT, and as far as I remember, it have read somewhere NAT
> makes a firewall obsolete, whith a *much* easier administration. True ?
NAT and "firewall" (some approaches, anyway) are both optional features
which may be included on a "router". They're largely orthogonal -- I would
be extremely suspicious of any claim that one makes the other obsolete.
Your comment above was a response to my suggestion that in a *business*
network, an actual dedicated firewall machine would be a good idea.
Depending on capacity and features, could a business get by with something
like WinRoute instead?
The view amongst computer security professionals is pretty solidly "no".
For the detailed reasoning, I recommend Cheswick and Bellovin's "Firewalls
and Internet Security", but the short version is that anything else that is
on the machine that you're relying on as a firewall/router (a) may not be
properly protected by those functions of the machine, and (b) may expose
vulnerabilities which allow an intruder to disable or bypass the protections
those functions were supposed to give the rest of your network.
So a solution like WinRoute will be criticized because (a) users will be
tempted to run other stuff -- web server, mail server, even use as a
workstation -- on the WinRoute machine, and (b) even if you don't do any of
that, you've got a fairly complete installation of Windows itself on there.
[Using NT would help somewhat.]
WinRoute and its competitors make it possible to share an Internet
connection (and a single IP address!) with an entire LAN, without having to
learn a whole lot of new technology; this is certainly useful. But these
products are not really designed to protect your LAN from intruders, and
simply concealing some details of your LAN configuration is no substitute for
actual filtering of inappropriate traffic.
David G
PCSOFT mailing list is brought to you by:
The NOSPIN Group, Inc.
http://nospin.com - http://nospin.org
|