Networking noob here. I want to prevent all incoming requests except through a specific port, and that traffic is forwarded to a specific device on the network. NAT seems to do that just fine, it’s almost like a kind of firewall by itself. What kind of threats are there that requires more than just NAT for security?

  • cron@feddit.de
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    8 months ago

    This is true and typically called “Next Generation Firewall” or “Intrusion Prevention System”.

    However, these have three disadvantages:

    • They rely on signatures and many vendors only provide these with an active, costly subscription
    • They add complexity and possible error sources and false positives.
    • They require processing power and can easily reduce throughput by 90%.

    These systems are quite common in enterprise scenarios, but AFAIK the exception in home labs and selfhosting environments.