While I've played with and setup a lot of the basic routers, I'm not up on Cisco and other higher end routers as far as firewalls go...and better security.

The standard routers you see on this forum, such as Linksys, NetGear, etc etc etc...I know they have NAT...and I'm fairly familiar with NAT, port forwarding, etc....how with NAT your routers WAN IP is the only public interface.

What got me asking this question is, I see Nexland teamed up with Symantec...producing their new gateway/VPN product with a so called "robust corporate firewall"......but after looking at it for a while....to me, it just appears to be a NAT firewall.

Then you see some others, like NetGear...the RO318 model or something like that...with DoS protection, filters, but again....what extra protection does it offer other than NAT?

I'm trying to find what better protection there is past a basic NAT router, while staying away from the plethora of problems software firewalls on each machine cause.

One crucial difference is packet inspection. Many refer to it as Stateful Packet Inspection; some have their own proprietory packages, to do much the same thing. While most also include NAT as a rudementary first line of defense, SPI goes much further, examining each inbound packet. Here is an excellent description of SPI on SonicWalls, for instance:

SPI (http://www.ssimail.com/Stateful.htm)
Additionally, the devices will usually support triple DES encryption; have their own VPN solutions; content filters, etc.

The higher end units like this have real processors, that can maintain sometimes thousands of concurrent connections, and maintain data flow without speed reduction due to the limitations of the device.

They really make your life as an admin simpler, and most also support detailed logging, which you can then monitor with apps like WebTrends.

I see Nexland teamed up with Symantec...producing their new gateway/VPN product with a so called "robust corporate firewall"

Hey YOSC. The main offering of the Pro Series from Nexland is the "unlimitted concurrent VPN sessions" IPSEC or PPTP. This makes it very suitable for an entrypoint by telecommuters - tho you still need a server to authenticate.

like twwabw said, the SPI just maintains the state of all sessions. It is greater degree of control than a simple NAT router. You would see a real difference if you are running public servers behind one. DoS attacks generally don't give you a headache if the router is set to drop ALL WAN requests.

IF you are running a web server, you want people to be able to hit your port 80. With SPI, if an incoming LAND or other type of 'out-of-sequence' attack is sent, the FW knows that it is not really a legitimate reply and drops it. A simple NAT router would allow the packet to be passed to the web server, causing the web server to try and sync up with the attacker, causing an endless loop and (usually) a meltdown.

Have fun,

Skye