Ingress firewall and NAT

Comments

3 comments

  • Avatar
    Firewalla

    This is really the topic of "is NAT a firewall"; 

    1. Primary Purpose of NAT:

    • NAT was originally designed to conserve IPv4 addresses by allowing multiple devices on a local network to share a single public IP address. It translates private IP addresses to a public one for outbound traffic and vice versa for inbound traffic.
    • Its primary function is not security; instead, it’s about address management.

    2. Implicit Security:

    • NAT does provide some level of security by obscuring internal IP addresses from external networks. Devices on the local network are not directly accessible from the outside unless port forwarding or similar techniques are used.
    • This has a side effect of preventing unsolicited inbound connections, which is why it’s sometimes seen as a "poor man’s firewall."

    3. Lack of Comprehensive Protection:

    • Unlike a proper firewall, NAT does not inspect traffic content, enforce security policies, or block specific types of malicious traffic. It simply translates IP addresses and ports, which provides only minimal protection.
    • A dedicated firewall can filter traffic based on content, stateful inspection, intrusion detection, and prevention systems, among other features that NAT lacks.

    4. Security Vulnerabilities:

    • Relying solely on NAT for security leaves the network vulnerable to various attacks, such as spoofing or man-in-the-middle attacks, because it doesn’t provide comprehensive traffic filtering or monitoring.
    • It also doesn't protect against internal threats or sophisticated attacks that exploit application-level vulnerabilities.

    5. False Sense of Security:

    • NAT can create a false sense of security for users who may assume their network is protected just because NAT is in place, while in reality, they lack the deeper protections that a proper firewall offers.
    0
    Comment actions Permalink
  • Avatar
    Benjamin Oakham

    Thank you, that all makes sense, but specifically the Firewalla ingress firewall rule which is essentially “block all inbound traffic” doesn’t seem like it’s doing any detailed packet inspection, so it doesn’t seem like it would detect anything that wouldn’t be inherently blocked by the NAT?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The Ingress firewall is a "firewall" with a default blocking behavior, and it is stateful, so it will allow any egress-triggered ingress traffic to come back. There is a "NO" need to apply for any inspection because the traffic is blocked. (and also recorded)

    In case you do allow traffic to come into your network, then the IDS/IPS will kick in. You can learn more about this here https://help.firewalla.com/hc/en-us/articles/360049856394-How-to-Secure-Your-Network-with-Firewalla-Part-3-Protect

     

     

    0
    Comment actions Permalink

Please sign in to leave a comment.