Router, NAT, Firewall discussion

I posted this in a reply to a security topic but thought it might be good to put here as well. It's an area that seems to cause quite a bit of confusion. Note: SOHO = Small Office Home Office

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NAT = Network Address Translation.

NAT is a really great idea someone had to allow multiple users on a LAN (local area network) to share a single real/leased/registered/public IP address. It works as follows (and is the same if you use ICS (internet connection sharing) that Microsoft provides:

Say you have 4 PCs at home and something that will do NAT for you. The NAT device assigns itself the real (as provided by your ISP) IP address and it's the only device that can be directly seen from the internet. NAT, in turn and using DHCP usually, assigns all your local PCs an IP address in one of the private (never assigned for real) address groups. 192.168.x.x is most common. These addresses cannot cross a router and get to another network or to the internet.

When one of your PCs wants to connect to an internet address, it sends the request packet via the 'gateway' address it has and that will be the internal IP address of the NAT device. NAT traps the packet, stores info about it in a database, changes the 'From' IP from yours to the public address it has, and sends the packet out to the internet.

Any response will come back to the NAT device because that's the address it's replying to. NAT will check the packet against it's database to decide if it's a response and if so, which PC should get it. The packet is then changed and the public IP address is changed to the proper internal address and you get your response. Lots of housekeeping but hardware can do this stuff really fast.

However, if a packet comes to the NAT device that doesn't match with any request from your LAN, the packet is discarded and you never see it. So an internet probe of the public IP address never gets in. In this respect, it certainly does protect you from outside attack - and is basically doing the job of a firewall.

It provides no protection whatever if one of your PCs started the conversation though. You get spyware on your PC when you surf the web. AV software doesn't stop spyware since it isn't a virus/trojan/worm. When the spyware 'calls home' it has started the conversation from your PC so your NAT device treats the packet as legit, sends it, and passes along any response it gets right back to you. This is nothing you could notice either unless you have a real firewall installed that looks at inbound and outbound traffic. Unless your browser and similar settings are lots tighter than most of us are willing to use, the spyware could also send out a request for something that would damage your PC and that something would slip right in to you.

Firewalls

First a quick bit about IP addresses and IP Ports since you can't understand what firewalls do without knowing a little this stuff.

Any PC using TCP/IP (and all internet traffic requires that) will have one IP address in the form of xxx.xxx.xxx.xxx and that address will be unique like a house address or a phone number. At least, unique within the network where it lives and if that includes the internet, completely unique.

With any internet pipe (connection) there is an added piece that you never really see. Applications that communicate over networks use a specific port. There are around 64,000 of them available so at this point, every type of network traffic has a port it will use. The first 1000 are considered 'well known' or standard so that HTTP packets from your browser will always try to use port 80. FTP uses 20 & 21. SMTP (outbound email) uses 25 and POP3 (inbound email) uses 110. And so on. So if your PC is 192.168.0.10 and outbound HTTP packet will be from 192.168.0.10:80 and the entire address including port number is necessary.

Firewalls operate only on ports. There are two basic types.

The simplest (like the one that ships /w XP) only deals with inbound traffic and only has the option to set a port as open or closed. Close port 80 and your browser will not function. Open port 80 and any packet trying to use that port will succeed.

Better firewalls can be set to monitor both in and outbound packets and deal with them on a port by port basis as you have things set up. Good in case of a trojan or spyware app trying to 'call home' since they will normally use a strange port number and if that one is blocked for outbound traffic, they call but no one answsers.

Still better firewalls have some logic built in. Where the firewall types above are sort of like a fenced in pasture with gates that are either open or closed, a stateful firewall places a gate guard on any open gate to check any who try to enter/leave thru that gate. If they look strange, you will be notified and asked for a decision. So that, for instance, a trojan packet trying to use FTP to send stuff to it's owner or to get stuff from it's owner might try to spoof your firewall by putting port 80 on as the address while the system at the other end knows about this and will auto-transfer any port 80 packets to port 20/21. A normal in/out firewall won't notice. A stateful firewall will see port 80 traffic that looks like FTP and will block it and ask you.

Routers

The earlier home/small office routers would have been way too expensive if a good firewall had been built in so the SOHO router folks said to users that NAT was adequate protection - but they worded it so they told the truth but in a mis-leading way. There is a large enough market for SOHO router/switches these days that they've improved things and you can now buy a reasonably priced router/switch that has a hardware/firmware firewall built in. But not all of them include this as of right now so you have to check the specs carefully to see exactly what you have.

The other option is to run a software firewall on each PC but that's not nearly as good an option for two reasons. First, speed is affected. Way too much work for the firewall to do so software just can't compete with hardware for speed. Second, a software firewall can be disabled by a really clever piece of malware. Hardware firewalls are much tougher to defeat so only really high-end hacks will even try and they are concentrating on richer targets than SOHO networks.

 

Several folks pointed out places I either goofed or wasn't clear (some of both) so I'm adding their comments here. - Newt

From TonyT

From ReggieB

 

Newt Wrote::: (My comments start with *. Nice article. I did have some comments on it.)

NAT = Network Address Translation.

NAT is a really great idea someone had to allow multiple users on a LAN
(local area network) to share a single real/leased/registered/public IP
address. It works as follows (and is the same if you use ICS (internet
connection sharing) that Microsoft provides:

Say you have 4 PCs at home and something that will do NAT for you. The NAT device assigns itself the real (as provided by your ISP) IP address and it's the only device that can be directly seen from the internet. NAT, in turn and using DHCP usually, assigns all your local PCs an IP address in one of the private (never assigned for real) address groups. 192.168.x.x is most common. These addresses cannot cross a router and get to another network or to the internet.

These addresses cannot cross a router and get to another network or to the internet.

* Normally that is the case but not because it is impossible. On inexpensive off-the-shelf routers with NAT normally the RFC 1918 addresses will never cross that NAT implementation. But more advanced routers with command shell configuration it's possible to mis-configure things to allow these addresses to leak. Most Internet facing routers (e.g. Cisco) will drop these addresses with an access list such as "access-list 101 deny ip 192.168.0.0 0.0.255.255 any ", "access-list 101 deny ip 172.16.0.0 0.15.255.255 any ", and "access-list 101 deny ip 10.0.0.0 0.255.255.255 any ". I took this from an actual Cisco 7207VXR router facing an AT&T DS3 link to Orlando, Florida. No doubt the other end does the same type of access lists in case the customer side didn't do it. If someone were to accidentally plug a PC with RFC 1918 address into a switch hanging off such a router an address leak could occur. Without these filters nothing would stop this leakage... except for the fact that normally no router on the Internet would have a route back to an RFC Address 1918 space. So you'd never get a connection anyway. (Assuming you ever got past all the routers filtering and dropping those packets in the path.) * It's quite possible to set up a WAN link on a router using RFC 1918 addresses where both ends use those addresses and route them. Router labs are done that way all of the time.

When one of your PCs wants to connect to an internet address, it sends the request packet via the 'gateway' address it has and that will be the internal IP address of the NAT device. NAT traps the packet, stores info about it in a database, changes the 'From' IP from yours to the public address it has, and sends the packet out to the internet.

Any response will come back to the NAT device because that's the address it's replying to. NAT will check the packet against it's database to decide if it's a response and if so, which PC should get it. The packet is then changed and the public IP address is changed to the proper internal address and you get your response. Lots of housekeeping but hardware can do this stuff really fast.

However, if a packet comes to the NAT device that doesn't match with any request from your LAN, the packet is discarded and you never see it. So an internet probe of the public IP address never gets in. In this respect, it certainly does protect you from outside attack - and is basically doing the job of a firewall.

* That's not always true. I'm receiving packets all of the time that don't match any request from my NAT LAN. Typically certain ports will be forwarded, although this usually has to be configured manually. NAT has been called "Security by Obscurity" and there's quite a bit of discussion about this not being very safe. Recently problems were found with certain Linksys Routers ... usually mis-configured (even if that was the default) allowing attacker to access the router configuration - and once attacker is there can allow all sorts of port forwarding, etc. This is an interesting page on Windows XP SP2 Firewall Troubleshooting:
http://support.microsoft.com/default.aspx?kbid=875357

It provides no protection whatever if one of your PCs started the conversation though. You get spyware on your PC when you surf the web. AV software doesn't stop spyware since it isn't a virus/trojan/worm. When the spyware 'calls home' it has started the conversation from your PC so your NAT device treats the packet as legit, sends it, and passes along any response it gets right back to you. This is nothing you could notice either unless you have a real firewall installed that looks at inbound and outbound traffic. Unless your browser and similar settings are lots tighter than most of us are willing to use, the spyware could also send out a request for something that would damage your PC and that something would slip right in to you.

Firewalls

First a quick bit about IP addresses and IP Ports since you can't understand what firewalls do without knowing a little this stuff.

Any PC using TCP/IP (and all internet traffic requires that) will have one IP address in the form of xxx.xxx.xxx.xxx and that address will be unique like a house address or a phone number. At least, unique within the network where it lives and if that includes the internet, completely unique.

With any internet pipe (connection) there is an added piece that you never really see. Applications that communicate over networks use a specific port. There are around 64,000 of them available so at this point, every type of network traffic has a port it will use. The first 1000 are considered 'well known' or standard so that HTTP packets from your browser will always try to use port 80. FTP uses 20 & 21. SMTP (outbound email) uses 25 and POP3 (inbound email) uses 110. And so on. So if your PC is 192.168.0.10 and outbound HTTP packet will be from 192.168.0.10:80 and the entire address including port number is necessary.

Firewalls operate only on ports. There are two basic types.

* Hmmm I can make my firewall operate on IP Addresses, Interfaces, and more advanced firewalls can operate on Protocol Numbers http://www.iana.org/assignments/protocol-numbers. The first two I can do even with Windows XP. What port does ICMP work on?

The simplest (like the one that ships /w XP) only deals with inbound traffic and only has the option to set a port as open or closed. Close port 80 and your browser will not function. Open port 80 and any packet trying to use that port will succeed.

* I seem to be able to allow forwarding of ports to an IP Address or Computer Name on my LAN as well. This is pretty cool. Web Server on the LAN over NAT/ICS. Add Dynamic DNS ... and that's a powerful combination. Windows Firewall, even in SP2 XP Pro does seem to be primarily and inbound firewall. But it also seems to have a flavor of Application Level firewalling ... as it pops up asking to allow new Programs to be allowed. Kind of reminicent of Zone Alarm, Sygate Personal, and such after-market firewalls.

Better firewalls can be set to monitor both in and outbound packets and deal with them on a port by port basis as you have things set up. Good in case of a trojan or spyware app trying to 'call home' since they will normally use a strange port number and if that one is blocked for outbound traffic, they call but no one answsers.

Still better firewalls have some logic built in. Where the firewall types above are sort of like a fenced in pasture with gates that are either open or closed, a stateful firewall places a gate guard on any open gate to check any who try to enter/leave thru that gate. If they look strange, you will be notified and asked for a decision. So that, for instance, a trojan packet trying to use FTP to send stuff to it's owner or to get stuff from it's owner might try to spoof your firewall by putting port 80 on as the address while the system at the other end knows about this and will auto-transfer any port 80 packets to port 20/21. A normal in/out firewall won't notice. A stateful firewall will see port 80 traffic that looks like FTP and will block it and ask you.

Routers

The earlier home/small office routers would have been way too expensive if a good firewall had been built in so the SOHO router folks said to users that NAT was adequate protection - but they worded it so they told the truth but in a mis-leading way. There is a large enough market for SOHO router/switches these days that they've improved things and you can now buy a reasonably priced router/switch that has a hardware/firmware firewall built in. But not all of them include this as of right now so you have to check the specs carefully to see exactly what you have.

The other option is to run a software firewall on each PC but that's not nearly as good an option for two reasons. First, speed is affected. Way too much work for the firewall to do so software just can't compete with hardware for speed. Second, a software firewall can be disabled by a really clever piece of malware. Hardware firewalls are much tougher to defeat so only really high-end hacks will even try and they are concentrating on richer targets than SOHO networks.

* That might be true about hardware... but pretty much every inexpensive firewall runs some kind of software. Even expensive backbone routers mostly run an Operating System. Everyone knows the recent problems reported with Cisco Routers running IOS. I seem to remember Juniper Routers were BSD Unix at the core... their OS is JUNOS? The fastest stuff uses ASIC's - Application Specific Integrated Circuits. I wonder how much of the switching and routing in cheap routers is done in software ... rather than as you say in hardware? Also what about Kernel level software vs Application level software for firewalling? Is Windows able to beat an after-market firewall software because it has kernel level access?

 

Alan - welcome to you and please stick around. Networking experts are always great to have and usually are in short supply.

I just got in from work and want to digest your post when I'm a little more awake. Thanks for taking the time to review it. After a quick read, I think I'll probably wind up incorporating some of your comments into the discussion.

 

Cool. You wrote a heavy duty article there yourself. If you've never had to do NAT configuration on a Cisco Router like I did a 3640 awhile back be happy. Talk about your complicated setup and concepts!

I'm also doing some firewalling in Linux here alongside (after) my XP box. Also doing IPv6 ... actually Linux is doing the tunnel via freenet6.

Here's a good one ... I found out recently that Windows XP (at least Pro?) will make it's own tunnel to ipv6 (assuming you installed ipv6). Packet sniffs seemed to show it was also going to freenet6. You know anything about that? I had to turn off a service to stop it from doing that... so I could use the tunnel from Linux.

(Why am I still up!!!! I need to get some sleep. I'll check back when I have a chance.)