Thursday, April 3, 2008

Firewall and NAT using same rule base Vs. different rule bases?

Many SMB security devices combined firewall and NAT in one rule base. That is, firewall rule itself can be configured with NAT configuration. I feel this is fine with when you have small number of rules. In Enterprise environment, having two rules bases provide very good flexibility.

NAT and firewalls are two different functions. Firewall rule base is mainly meant for providing access control for different networks, machines and services. SNAT is mainly meant for providing internet access for multiple computers with less number of public IP addresses and also to hide internal IP addressing to the outside world and DNAT is meant for providing access to servers in private network from Internet.

Granularity of firewall rules is very high. Yet times, firewall rules are created with single IP address or service. Also firewall rules are activated upon user login. If NAT configuration is part of firewall, then the NAT configuration needs to be duplicated many times in the firewall rule base.

Granularity of NAT rules is very low. Typically, the granularity is at the network level. So, the number of rules for NAT would be small and independently manageable.

There is another advantage in having independent rule bases. That is to do with role based management. In many Enterprises, NAT configuration is treated as network function, not security function. Firewall function is considered as security function. Organizations having different personnel for security and network administration find it convenient.

Of course there is small disadvantage of having two rule bases. The connection rate performance is typically less than the single rule base. Since the number of rules in NAT rule base will be small in number, this would not be a big disadvantage.

If I were the administrator, I prefer to go with security devices implementing these two function in two different rule bases.

No comments: