how-to block ads
In their default configuration, common NAT routers do effectively handle the particular problem of unsolicited inbound packets reaching a computer on an internal network.
But sometimes networks have requirements that make NAT boxes inadequate, and that is what this FAQ explores.
NAT routers are sometimes called Broadband routers, DSL routers, or "networks in a box". NAT routers are devices that let you build a network with multiple local computers sharing a single IP address on the Internet. Technically these devices are called "many:1 NAT routers" (abbreviated "M:1 NAT routers") or NAPT routers, to differentiate them from other sorts of special purpose NAT routers that exist.
Switches and hubs are different devices that do not have the same security features.
NAT routers provide very good protection for normal homes, and small offices and home offices (SOHOs) against unsolicited inbound events from outside the network. So an NAT router is normally adequate for homes and SOHOs for protection against incoming events.
However, you will want to consider additional protection for these reasons:
1.1 You should definitely run a software firewall on any computer that connects to AOL using a different Internet Service Provider (AOL's Bring-Your-Own-Access plan or AOL MAX using an ISP) no matter what kind hardware firewall or NAT router you have.
AOL BYOA connects to your computer by creating a "tunnel" through the Internet. With AOL BYOA, tunneling uses your real IP address to connect you to AOL's network where you have a second IP address. Traffic using that second IP address is inside the tunnel.
With AOL, the far end of the tunnel is other AOL customers and the Internet, so it is untrusted. »www.mynetwatchman.com/kb/securit···ndex.htm
The solution is to use a software firewall. A software firewall will effectively filter the traffic after it leaves AOL's tunnel and before it gets into the rest of your computer. In some countries AOL9 Max includes the free option of installing the McAfee Firewall Express software firewall.
Somewhat similarly, if you connect to an untrusted network using Virtual Private Networking (VPN), you should either use a software firewall or an external VPN firewall.
VPN uses encrypted "tunnels" for privacy. Traffic is only decrypted when it leaves the tunnel. Each end of the tunnel looks somewhat like an extension of the LAN at the other end: one end of the tunnel may have LAN IP addresses such as 192.168.1.xxx and the other end may have LAN IP addresses such as 192.168.10.xxx. Network Address Translation is not used for traffic when it leaves the VPN tunnel, so there is no NAT protection for traffic through the tunnel.
With VPN, you can use software firewalls. Alternatively you can use an external VPN capable firewall. With an external VPN firewall, the VPN tunnel can be configured to end on the external VPN firewall. This means the external firewall is decrypting the VPN traffic, and it can then examine the traffic and protect your computers.
Be sure to test that your external firewall is configured correctly to protect against unauthorized traffic from outside and inside the tunnel.
1.2 If you have to turn on port forwarding or the DMZ to run servers or other applications you should consider either a software firewall or a more expensive SPI firewall.
Turning on port forwarding means traffic for the forwarded ports is forwarded to the specified computer automatically, without the protection of NAT. (Most NAT routers do at least basic packet filtering, in addition to NAT. So there is some protection, but not specifically against unsolicited traffic.)
In this circumstance you can add a software firewall, or run a more complex and expensive hardware firewall or firewall appliance.
The safer methods of "port triggering" or UPnP can be used instead of port forwarding or the DMZ, and this avoids this vulnerability. (See below.)
However, if you are running a publicly available server you will probably have to use port forwarding.
1.3 Generally software firewalls provide valuable additional protection that supplements the protection provided by NAT routers and SPI firewalls.
They can inexpensively provide good protection for individual computers on your network in the event that one of the computers gets infected.
Software firewalls can also watch for trojans, viruses, or unauthorized legitimate software, trying to connect out. Software firewalls have the advantage that they know what is going on inside your computer, they can see which program is trying to get out, and whether that program has changed since the last time it tried to get out. External firewalls and NAT routers can't do that.
The downside of software firewalls is that they can be shutdown by users, stalled or terminated by other software on the PC malfunctioning, and certain viruses and trojans disable them or shut them down.
On the other hand, while external firewalls and NAT routers don't know exactly what is going on inside your computer, they are simple devices that are much less likely to have problems that cause them to fail dangerously.
Ideally a software firewall should be an additional layer of protection behind an NAT router or external firewall. For homes a free version of a software firewall is normally adequate for this additional layer of protection.
- ZoneAlarm Free
Look for the free version / free download, and continue to ask for it rather than the Pro version.
- Sygate Personal Firewall
- Kerio Personal Firewall Limited Free Version (Sunbelt Kerio Personal Firewall)
Look for the "limited free" version.
For businesses, computers running public servers, and computers on wireless networks, a paid-for version of a software firewall provides more protection by allowing more customization and more precise control.
2. In selecting an NAT router, software firewall, or hardware firewall, consider its logging and alerts capabilities.
A good protective system lets you know if there is a determined attack against you.
- Does it let you see what events have occurred recently, including the date and time, local port and IP address, remote port and IP address, and protocol?
- Is it supported by the free firewall log analysis and reporting organizations myNetWatchman and DShield? ( »www.mynetwatchman.com »www.dshield.org )
- Is there a good log analysis tool available from the manufacturer, or are third party log analysis tools available?
Ideally you want tools that will let you see the one month history of those IP remote addresses that have caused firewall events in the past 24, 48 or 72 hours. Also they should have the ability to show events from only those remote IP addresses that have caused events on more than one local port.
For some products, third party log analysis tools are available that will provide this capability.
There is more on this topic here: /faq/8226
3. If the router or firewall is wireless, secure the wireless interface.
These days many routers and firewalls include both wired and wireless capabilities. And there is not always a visible antenna.
Be sure to check the router's manual to see if it has a wireless capability. If it does, either disable the wireless interface, or configure the wireless interface so it is properly secured.
4. Firewalls are not a replacement for adequate backups of data. (Firewalls don't protect against real fires, or burglars.) /faq/10194
5. Other security precautions still need to be taken. For example, operating systems and anti-virus software need to be properly installed, configured and updated.
6. There is no hardware or software you can install that will protect against massive amounts of traffic jamming your communications lines. "SPI firewalls" only protect against certain types of denial of service (DoS) attacks involving malformed packets, or protocol sequence violations and vulnerable software.
7. Historically, the original network firewalls did not do packet inspection. They were rule based, using tables of permitted IP addresses and ports. Packet inspection is not historically in the definition of firewalls.
8. The NAT firewall was a major advance. It limited inbound traffic based on the basic state of communications with the external IP address. Outbound traffic triggered permission for inbound traffic.
Internal packet inspection was the next advance, checking for malformed packets. SPI firewalls sometimes also incorporate a more detailed examination of the state of communications, often checking outbound traffic as well as inbound traffic.
However, currently (1Q2005) a common SPI firewall is usually little better at providing inbound firewall protection than a $60 NAT router. The "SPI" label is basically there for marketing purposes. To have effective better protection than an NAT router, one needs a high-end SPI firewall, typically costing over $150.
The next advance is firewall appliances. These add extensive virus scanning of network traffic to the features of SPI firewalls. Currently these cost over $700 and are aimed at offices and institutions.
Some NAT routers and SPI firewalls include parental and employee controls, limiting access times, and restricting certain sites. This FAQ is not considering that kind of protection.
9. This is basically how a pure many:1 NAT router works. M:1 is the kind of router commonly used for home and SOHO users to provide a connection for many local computers using one public IP address.
First, packet filtering is applied to eliminate malformed packets and selected other packets based on fixed rules. With ordinary NAT routers this is fairly basic filtering compared with purpose-built firewalls.
With outgoing packets, the NAT router substitutes its own IP address and one of its currently unused ephemeral ports (that is, ports > 1023) for the source IP address and ephemeral port the local computer used.
All this information is then recorded in a state table with a timestamp. Additional traffic will update the timestamp.
For an incoming packet, an attempt is made to map the source IP address and ephemeral port on the router that received the packet to an entry in the state table.
- If a match isn't found in the state table, the packet has nowhere to go, and is discarded.
- If a match is found, the state table entry is used to translate the routers IP address and port to the local computer's IP address and port, and the packet is routed to that local computer.
Both the local computer's local IP address and its source port are mapped, which allows multiple local computers to connect to the same remote server and have independent conversations.
The state table is only filled by outgoing traffic, which means inbound traffic cannot make it overflow.
Of course as with any program, there can be a bug in the implementation, but you can't be much more simple and failsafe than the M:1 NAT algorithm.
Simplicity and failsafe-ness are good features. The more lines of code, the greater the chance of a bug.
10. Port forwarding bypasses the state table and that source of protection provided by the NAT router. Port forwarding (on a pure NAT router) causes almost all traffic that arrives at a particular port to go to a particular local IP address. (Basic packet filtering is the only protection for the port.)
Trigger ports or UPnP should be used in preference to port forwarding when possible. For example use port triggering for UDP replies for Windows Media Player so the port forwarding is limited to the source IP that was contacted on the trigger port. The forwarding will time-out (terminate when it isn't being used) rather than being always-on.
You need to configure both the software's own options and the router's setup so that the ports used correspond. After you make the changes, use the software to make a connection, and then check your firewall/router logs to see that the UDP traffic is not being blocked.
Typically the trigger port is a TCP port used to establish and control communications. The triggered port is normally UDP and is used to receive large amounts of data with minimum overhead (with no overhead from "receipt verified" packets).
These port triggering settings are possible:
Real Player 7070 TCP is trigger for 6980-7000 UDP
Real Player 6970 TCP is trigger for 6980-7000 UDP
QuickTime 554 TCP is trigger for 6970-7000 UDP
BitTorrent 6969 TCP is trigger for 6881-6889 UDP
Windows Media Player 1755 TCP is trigger for 6980-7000 UDP
Remember, the settings in the router and the software must correspond. For example, you have to update your router, and you have to update your QuickTime options. If you cannot find the ports in the software's options, check the software maker's website for which ports it is set to use.
UPnP is also an alternative to port forwarding, but not all NAT routers and not all software are UPnP capable. The software uses UPnP to ask the router to open ports for its use. When the software shuts down, it asks the router to close those ports. This saves you having to configure the router and software with specific ports. A small downside of UPnP in its current form is that, if the program that opened the port crashes, the port is left open until you re-boot.
If you need instructions on UPnP, check your manuals and FAQs, and consult a search engine using UPnP and the program name, or UPnP and the router make, as search terms.
Trigger ports and UPnP are safer than port forwarding.
11. The DMZ should be totally avoided on most NAT routers.
A DMZ is not normally required, provided you know your software. Check the software vendor's website, or email their support area, or search here in BBR, to find out what ports you need to set as trigger ports for which ports, or which ports to forward.
If you really do need a DMZ, use a device that treats the computer in the DMZ as though it was an untrusted computer outside your local network. Ordinary NAT routers do not normally provide this type of DMZ; they normally just forward all unsolicited traffic to the machine in the DMZ, leaving it with no NAT protection.
(You can create the desired level of separation with 2 ordinary NAT routers, or with 1 NAT router and 1 hub, or 1 high-end NAT router or firewall.)
Here are some security testing sites: /faq/5503
Here is more on securing your home computer: /faq/8463
Here is more on securing a wireless router: /faq/8698
For discussion about your individual circumstances you can post a message in the BBR Security Forum here: /forum/security
Be sure to mention if you have unusual requirements, like offering "public servers", confidential client data, etc., how many computers you have, which operating systems, and so on.
If your network is high-value or a particularly attractive target, or if you are a business that depends on its computers, we recommend you also obtain the services of an IT professional to help plan and maintain your security.
* Here is the thread where the proposal for this FAQ was researched, discussed and refined. My thanks to all those who participated with me in developing this FAQ.
- Removed dead link to UPnP configuration instructions.
- Improved opinion of UPnP.
01 Jan 2006
- Kerio PFW is to be Sunbelt Kerio PFW.
- Clarified trigger port setup.
- MS Messenger can now easily do file transmission through an NAT router, so the old instructions have been removed.
01 May 2005
- Added caution to check that if the router is wireless, and to secure the wireless interface.
- Added NATP as a technical term for the kind of router being talked about.
(Thanks Doc Olds.)
Feedback received on this FAQ entry: