A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.comp.home-networking (UK home networking)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.comp.home-networking (UK home networking) (uk.comp.home-networking) Discussion of all aspects of computer networking in the home, regardless of the platforms, software, topologies and protocols used. Examples of topics include recommendations for hardware or suppliers (e.g. NICs and cabling), protocols, servers, and specific network software. Advertising is not allowed.

NAT and firewalls



 
 
Thread Tools Display Modes
  #1  
Old May 4th 06, 11:08 AM posted to uk.comp.home-networking
Ben
external usenet poster
 
Posts: 10
Default NAT and firewalls

I have a question about NAT routers.

What protection does a hardware NAT router provide for an internal network
against attacks from the outside world ? (I mean without any firewall
software installed on any PCs, just using the router).

And if they do provide protection, then why do you need to install a
firewall on each machine on the internal network?

Currently I have a USB modem connection straight to my PC and use Windows
own firewall on the connection and am fine. But when I get a Voyager 2091
from BT, what extra protection, if any, do you think I might need?

Thanks.


  #2  
Old May 4th 06, 12:50 PM posted to uk.comp.home-networking
MED
external usenet poster
 
Posts: 11
Default NAT and firewalls


"Ben" wrote in message
...
I have a question about NAT routers.

What protection does a hardware NAT router provide for an internal network
against attacks from the outside world ? (I mean without any firewall
software installed on any PCs, just using the router).

And if they do provide protection, then why do you need to install a
firewall on each machine on the internal network?

Currently I have a USB modem connection straight to my PC and use Windows
own firewall on the connection and am fine. But when I get a Voyager 2091
from BT, what extra protection, if any, do you think I might need?

Thanks.

Hi,

A NAT router allows the use of one public IP address by many machines
configured with private IP addresses (in a one-to-many NAT config: there are
other types of NAT).

The routing table of a NAT router stores the outgoing connections, allowing
the corresponding response to reach the internal machine.

If you activate port forwarding on the NAT router (if supported), then
connections originating from the external network can be routed to the
internal machine hosting the desired service.

If you do not activate port forwarding on the NAT router, attacks (or simply
connections) from the external network will stop at the NAT router (as it is
this machine with the public IP address, and of course it is not possible to
connect to the private IP address of your internal machine directly from an
external source). If you have services running on the NAT router (e.g.
telnet) they will be available to the external network.

So, to get back to your original question, in a way, having a NAT router
without port forwarding, provides a lightweight firewall for your internal
machines because it is not possible to connect directly to them from the
external network. However it does not provide other functions of a fully
fledged firewall (internal/external protocol filtering, antivirus, proxy,
IDS etc.). Also, the NAT router itself may not be protected from attacks -
it depends on its own config.

Having a personal firewall on each machine will protect the machine from
attacks due to the user visiting a dodgy web site that exploits security
holes in IE or other such vulnerabilities.

Remember, a NAT router changes the source IP address in outgoing packets to
that of the public IP address of the NAT router, and stores this connection
so that it can listen for a reply, which it sends back to the original
machine. The NAT router will present services to the external network (e.g.
port 23), if configured, and will therefore be 'attackable'. It will not
allow connections originating on the external network to pass through to the
internal network, unless configured to do so (e.g. port forwarding).

Hope this helps.

Mike.





  #3  
Old May 4th 06, 12:50 PM posted to uk.comp.home-networking
Conor
external usenet poster
 
Posts: 579
Default NAT and firewalls

In article , Ben says...
I have a question about NAT routers.

What protection does a hardware NAT router provide for an internal network
against attacks from the outside world ? (I mean without any firewall
software installed on any PCs, just using the router).

All inbound ports are blocked as default, i.e a computer on the
internet cannot "initiate" a connection to any PC on the LAN. To enable
an inbound port for a service you need to manually configure it,
listing the specific IP address of the PC that inbound connections for
a specific port are to be directed to.


And if they do provide protection, then why do you need to install a
firewall on each machine on the internal network?

To stop outbound connections from malware.

Currently I have a USB modem connection straight to my PC and use Windows
own firewall on the connection and am fine. But when I get a Voyager 2091
from BT, what extra protection, if any, do you think I might need?

Probably non apart from common sense. I'm just using Windows Firewall
and get a clean bill of health with Spyware/AV scans.


--
Conor,

Same ****, different day.
  #4  
Old May 4th 06, 01:30 PM posted to uk.comp.home-networking
Mike Scott
external usenet poster
 
Posts: 31
Default NAT and firewalls

Martin Underwood wrote:
....

What you aren't protected against is outgoing traffic. Software firewalls
such as Norton maintain a list of applications that are permitted to access
the internet, and if a new app (which may be spyware) tries to contact the
internet, the firewall seeks your permission; if you say yes, then it has
unlimited access thereafter but if you say no then that app is blocked from
accessing the net.


OTOH if your machine is compromised in this way, there's little in
principle to prevent the rogue software from authorizing itself to the
firewall, or indeed totally disabling the firewall. You'd never know.

IMO there's nothing to beat a dedicated router/firewall box separate
from your desktop machine.

--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)
  #5  
Old May 4th 06, 09:59 PM posted to uk.comp.home-networking
Ben
external usenet poster
 
Posts: 10
Default NAT and firewalls

Thanks for taking to the time to explain everyone, really helped.

"MED" wrote in message
...

"Ben" wrote in message
...
I have a question about NAT routers.

What protection does a hardware NAT router provide for an internal
network against attacks from the outside world ? (I mean without any
firewall software installed on any PCs, just using the router).

And if they do provide protection, then why do you need to install a
firewall on each machine on the internal network?

Currently I have a USB modem connection straight to my PC and use Windows
own firewall on the connection and am fine. But when I get a Voyager 2091
from BT, what extra protection, if any, do you think I might need?

Thanks.

Hi,

A NAT router allows the use of one public IP address by many machines
configured with private IP addresses (in a one-to-many NAT config: there
are other types of NAT).

The routing table of a NAT router stores the outgoing connections,
allowing the corresponding response to reach the internal machine.

If you activate port forwarding on the NAT router (if supported), then
connections originating from the external network can be routed to the
internal machine hosting the desired service.

If you do not activate port forwarding on the NAT router, attacks (or
simply connections) from the external network will stop at the NAT router
(as it is this machine with the public IP address, and of course it is not
possible to connect to the private IP address of your internal machine
directly from an external source). If you have services running on the
NAT router (e.g. telnet) they will be available to the external network.

So, to get back to your original question, in a way, having a NAT router
without port forwarding, provides a lightweight firewall for your internal
machines because it is not possible to connect directly to them from the
external network. However it does not provide other functions of a fully
fledged firewall (internal/external protocol filtering, antivirus, proxy,
IDS etc.). Also, the NAT router itself may not be protected from
attacks - it depends on its own config.

Having a personal firewall on each machine will protect the machine from
attacks due to the user visiting a dodgy web site that exploits security
holes in IE or other such vulnerabilities.

Remember, a NAT router changes the source IP address in outgoing packets
to that of the public IP address of the NAT router, and stores this
connection so that it can listen for a reply, which it sends back to the
original machine. The NAT router will present services to the external
network (e.g. port 23), if configured, and will therefore be 'attackable'.
It will not allow connections originating on the external network to pass
through to the internal network, unless configured to do so (e.g. port
forwarding).

Hope this helps.

Mike.







  #6  
Old May 4th 06, 10:42 PM posted to uk.comp.home-networking
Alan Walker
external usenet poster
 
Posts: 1
Default NAT and firewalls

Mike Scott wrote:
Martin Underwood wrote:
...

What you aren't protected against is outgoing traffic. Software
firewalls such as Norton maintain a list of applications that are
permitted to access the internet, and if a new app (which may be
spyware) tries to contact the internet, the firewall seeks your
permission; if you say yes, then it has unlimited access thereafter
but if you say no then that app is blocked from accessing the net.


OTOH if your machine is compromised in this way, there's little in
principle to prevent the rogue software from authorizing itself to the
firewall, or indeed totally disabling the firewall. You'd never know.

IMO there's nothing to beat a dedicated router/firewall box separate
from your desktop machine.


Smoothwall Express is free, runs on old hardware and is easy to configure
and maintain.

--

Alan


  #7  
Old May 5th 06, 02:50 AM posted to uk.comp.home-networking
Rob Morley
external usenet poster
 
Posts: 1,379
Default NAT and firewalls

In article
Mike Scott wrote:
Martin Underwood wrote:
...

What you aren't protected against is outgoing traffic. Software firewalls
such as Norton maintain a list of applications that are permitted to access
the internet, and if a new app (which may be spyware) tries to contact the
internet, the firewall seeks your permission; if you say yes, then it has
unlimited access thereafter but if you say no then that app is blocked from
accessing the net.


OTOH if your machine is compromised in this way, there's little in
principle to prevent the rogue software from authorizing itself to the
firewall, or indeed totally disabling the firewall. You'd never know.

IMO there's nothing to beat a dedicated router/firewall box separate
from your desktop machine.


You want both - a dedicated firewall can't handle application-based
outbound filtering, but is more effective for perimeter protection.
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Three Firewalls Ken uk.telecom.broadband (UK broadband) 15 July 24th 05 10:53 PM
Firewalls Reg Edwards uk.telecom.broadband (UK broadband) 26 February 4th 05 03:00 PM
firewalls uk.comp.home-networking (UK home networking) 8 December 12th 04 09:18 PM
firewalls Me uk.telecom.broadband (UK broadband) 13 November 16th 04 08:59 AM
ICS & Firewalls Trevor Dennis uk.telecom.broadband (UK broadband) 11 September 19th 03 08:44 PM


All times are GMT +1. The time now is 02:55 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.