Networking noob here. I want to prevent all incoming requests except through a specific port, and that traffic is forwarded to a specific device on the network. NAT seems to do that just fine, it’s almost like a kind of firewall by itself. What kind of threats are there that requires more than just NAT for security?

    • cron@feddit.de
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      10 months ago

      This is true and typically called “Next Generation Firewall” or “Intrusion Prevention System”.

      However, these have three disadvantages:

      • They rely on signatures and many vendors only provide these with an active, costly subscription
      • They add complexity and possible error sources and false positives.
      • They require processing power and can easily reduce throughput by 90%.

      These systems are quite common in enterprise scenarios, but AFAIK the exception in home labs and selfhosting environments.