NAT and firewalls

I have a question about NAT routers.

What protection does a hardware NAT router provide for an internal network
against attacks from the outside world ? (I mean without any firewall
software installed on any PCs, just using the router).

And if they do provide protection, then why do you need to install a
firewall on each machine on the internal network?

Currently I have a USB modem connection straight to my PC and use Windows
own firewall on the connection and am fine. But when I get a Voyager 2091
from BT, what extra protection, if any, do you think I might need?

Thanks.

Ben wrote in message
(E-Mail Removed):

> I have a question about NAT routers.
>
> What protection does a hardware NAT router provide for an internal
> network against attacks from the outside world ? (I mean without any
> firewall software installed on any PCs, just using the router).
>
> And if they do provide protection, then why do you need to install a
> firewall on each machine on the internal network?
>
> Currently I have a USB modem connection straight to my PC and use
> Windows own firewall on the connection and am fine. But when I get a
> Voyager 2091 from BT, what extra protection, if any, do you think I
> might need?

As I understand it (and this will be a good test of my knowledge!), for a
normal home network, without your own web server that you make visible to
the world, the NAT capabilities of a router give very good incoming
protection: no traffic is allowed in unless it is in response to a request
from one of the PCs.

What you aren't protected against is outgoing traffic. Software firewalls
such as Norton maintain a list of applications that are permitted to access
the internet, and if a new app (which may be spyware) tries to contact the
internet, the firewall seeks your permission; if you say yes, then it has
unlimited access thereafter but if you say no then that app is blocked from
accessing the net.

I'd advise always having a software firewall on each PC - ideally something
like Norton or McAfee (Firewall+AV) but at the very least the free versions
of AVG (AV) and ZoneAlarm (FW).

"Ben" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a question about NAT routers.
>
> What protection does a hardware NAT router provide for an internal network
> against attacks from the outside world ? (I mean without any firewall
> software installed on any PCs, just using the router).
>
> And if they do provide protection, then why do you need to install a
> firewall on each machine on the internal network?
>
> Currently I have a USB modem connection straight to my PC and use Windows
> own firewall on the connection and am fine. But when I get a Voyager 2091
> from BT, what extra protection, if any, do you think I might need?
>
> Thanks.
Hi,

A NAT router allows the use of one public IP address by many machines
configured with private IP addresses (in a one-to-many NAT config: there are
other types of NAT).

The routing table of a NAT router stores the outgoing connections, allowing
the corresponding response to reach the internal machine.

If you activate port forwarding on the NAT router (if supported), then
connections originating from the external network can be routed to the
internal machine hosting the desired service.

If you do not activate port forwarding on the NAT router, attacks (or simply
connections) from the external network will stop at the NAT router (as it is
this machine with the public IP address, and of course it is not possible to
connect to the private IP address of your internal machine directly from an
external source). If you have services running on the NAT router (e.g.
telnet) they will be available to the external network.

So, to get back to your original question, in a way, having a NAT router
without port forwarding, provides a lightweight firewall for your internal
machines because it is not possible to connect directly to them from the
external network. However it does not provide other functions of a fully
fledged firewall (internal/external protocol filtering, antivirus, proxy,
IDS etc.). Also, the NAT router itself may not be protected from attacks -
it depends on its own config.

Having a personal firewall on each machine will protect the machine from
attacks due to the user visiting a dodgy web site that exploits security
holes in IE or other such vulnerabilities.

Remember, a NAT router changes the source IP address in outgoing packets to
that of the public IP address of the NAT router, and stores this connection
so that it can listen for a reply, which it sends back to the original
machine. The NAT router will present services to the external network (e.g.
port 23), if configured, and will therefore be 'attackable'. It will not
allow connections originating on the external network to pass through to the
internal network, unless configured to do so (e.g. port forwarding).

Hope this helps.

Mike.

In article <(E-Mail Removed)>, Ben says...
> I have a question about NAT routers.
>
> What protection does a hardware NAT router provide for an internal network
> against attacks from the outside world ? (I mean without any firewall
> software installed on any PCs, just using the router).
>
All inbound ports are blocked as default, i.e a computer on the
internet cannot "initiate" a connection to any PC on the LAN. To enable
an inbound port for a service you need to manually configure it,
listing the specific IP address of the PC that inbound connections for
a specific port are to be directed to.


> And if they do provide protection, then why do you need to install a
> firewall on each machine on the internal network?
>
To stop outbound connections from malware.

> Currently I have a USB modem connection straight to my PC and use Windows
> own firewall on the connection and am fine. But when I get a Voyager 2091
> from BT, what extra protection, if any, do you think I might need?
>
Probably non apart from common sense. I'm just using Windows Firewall
and get a clean bill of health with Spyware/AV scans.


--
Conor,

Same shit, different day.

Martin Underwood wrote:
....
>
> What you aren't protected against is outgoing traffic. Software firewalls
> such as Norton maintain a list of applications that are permitted to access
> the internet, and if a new app (which may be spyware) tries to contact the
> internet, the firewall seeks your permission; if you say yes, then it has
> unlimited access thereafter but if you say no then that app is blocked from
> accessing the net.

OTOH if your machine is compromised in this way, there's little in
principle to prevent the rogue software from authorizing itself to the
firewall, or indeed totally disabling the firewall. You'd never know.

IMO there's nothing to beat a dedicated router/firewall box separate
from your desktop machine.

--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)

Thanks for taking to the time to explain everyone, really helped.

"MED" <sod-off-(E-Mail Removed)> wrote in message
news:4459ea6a$0$29035$(E-Mail Removed)...
>
> "Ben" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I have a question about NAT routers.
>>
>> What protection does a hardware NAT router provide for an internal
>> network against attacks from the outside world ? (I mean without any
>> firewall software installed on any PCs, just using the router).
>>
>> And if they do provide protection, then why do you need to install a
>> firewall on each machine on the internal network?
>>
>> Currently I have a USB modem connection straight to my PC and use Windows
>> own firewall on the connection and am fine. But when I get a Voyager 2091
>> from BT, what extra protection, if any, do you think I might need?
>>
>> Thanks.
> Hi,
>
> A NAT router allows the use of one public IP address by many machines
> configured with private IP addresses (in a one-to-many NAT config: there
> are other types of NAT).
>
> The routing table of a NAT router stores the outgoing connections,
> allowing the corresponding response to reach the internal machine.
>
> If you activate port forwarding on the NAT router (if supported), then
> connections originating from the external network can be routed to the
> internal machine hosting the desired service.
>
> If you do not activate port forwarding on the NAT router, attacks (or
> simply connections) from the external network will stop at the NAT router
> (as it is this machine with the public IP address, and of course it is not
> possible to connect to the private IP address of your internal machine
> directly from an external source). If you have services running on the
> NAT router (e.g. telnet) they will be available to the external network.
>
> So, to get back to your original question, in a way, having a NAT router
> without port forwarding, provides a lightweight firewall for your internal
> machines because it is not possible to connect directly to them from the
> external network. However it does not provide other functions of a fully
> fledged firewall (internal/external protocol filtering, antivirus, proxy,
> IDS etc.). Also, the NAT router itself may not be protected from
> attacks - it depends on its own config.
>
> Having a personal firewall on each machine will protect the machine from
> attacks due to the user visiting a dodgy web site that exploits security
> holes in IE or other such vulnerabilities.
>
> Remember, a NAT router changes the source IP address in outgoing packets
> to that of the public IP address of the NAT router, and stores this
> connection so that it can listen for a reply, which it sends back to the
> original machine. The NAT router will present services to the external
> network (e.g. port 23), if configured, and will therefore be 'attackable'.
> It will not allow connections originating on the external network to pass
> through to the internal network, unless configured to do so (e.g. port
> forwarding).
>
> Hope this helps.
>
> Mike.
>
>
>
>
>

Mike Scott wrote:
> Martin Underwood wrote:
> ...
>>
>> What you aren't protected against is outgoing traffic. Software
>> firewalls such as Norton maintain a list of applications that are
>> permitted to access the internet, and if a new app (which may be
>> spyware) tries to contact the internet, the firewall seeks your
>> permission; if you say yes, then it has unlimited access thereafter
>> but if you say no then that app is blocked from accessing the net.
>
> OTOH if your machine is compromised in this way, there's little in
> principle to prevent the rogue software from authorizing itself to the
> firewall, or indeed totally disabling the firewall. You'd never know.
>
> IMO there's nothing to beat a dedicated router/firewall box separate
> from your desktop machine.

Smoothwall Express is free, runs on old hardware and is easy to configure
and maintain.

--

Alan

In article <Ytm6g.4836$(E-Mail Removed)>
Mike Scott <(E-Mail Removed)> wrote:
> Martin Underwood wrote:
> ...
> >
> > What you aren't protected against is outgoing traffic. Software firewalls
> > such as Norton maintain a list of applications that are permitted to access
> > the internet, and if a new app (which may be spyware) tries to contact the
> > internet, the firewall seeks your permission; if you say yes, then it has
> > unlimited access thereafter but if you say no then that app is blocked from
> > accessing the net.
>
> OTOH if your machine is compromised in this way, there's little in
> principle to prevent the rogue software from authorizing itself to the
> firewall, or indeed totally disabling the firewall. You'd never know.
>
> IMO there's nothing to beat a dedicated router/firewall box separate
> from your desktop machine.
>
>
You want both - a dedicated firewall can't handle application-based
outbound filtering, but is more effective for perimeter protection.