Q: I use Steve Gibson's ShieldsUP! Web site to test for Internet visibility and find I am in complete "stealth mode"...
Q: I use Steve Gibson’s ShieldsUP! Web site (www.grc.com/default.htm) to test for Internet visibility and always find I am in complete “stealth mode” on all ports, just using cheap Linksys routers (running NAT connected to our cable modems. I get a dynamic address from Comcast, perhaps improving my security). What types of added protection do you get from a firewall that you don’t get from NAT? It is my impression — perhaps naive — that with NAT if the packet does not originate from your local intranet to the outside Internet, that it is not possible for a packet to be sent to you unsolicited. Is that wrong?
— Terry Horwath, Mount Vernon
A: Given rising security concerns, the issue of firewalls and other Internet security measures keeps coming up. So I’m going to devote the entire column to this question.
First, a little more background.
Most Read Stories
- Seattle judge won’t immediately release ‘Dreamer’ from detention center
- T-Mobile one-ups Verizon’s new unlimited data plan; 4Q results top forecasts
- Officials say damage to sewage plant in Discovery Park is catastrophic
- Sticker shock as much higher car-tab bills land in mailboxes
- Either invite us or not already | Dear Carolyn
NAT is an acronym for network address translation, an Internet standard. It is offered by many routers and firewalls and does one relatively simple job: It translates between public and private IP, or Internet protocol, addresses. In a typical configuration, your router or DSL modem will be assigned a public IP address so that exchanges with the Internet can take place. With that dynamic IP address assigned to you by Comcast, your IP address will be different each time you connect. If you are running a Web server, however, you would need a static IP address, which is always the same.
With NAT, the router is also assigned a “private” IP address, one that can’t be reached directly from the Internet. In addition, the router assigns private IP addresses to other computers on your network so that they can all connect to the router. Once that is done, multiple computers on your network can access the Internet through the same router using that single public IP address.
That was originally the primary benefit of NAT seen by most users: It allowed multiple computers to use the Internet even though only one Internet account and one public IP address were in use.
The rising security concerns in recent years have prompted another benefit. NAT requires any activity between computers on your network and the Internet to be initiated by a computer on your network.
Bear in mind, however, that just because the communication must be initiated locally doesn’t mean that once the communication is initiated you are entirely safe. For one thing, if you don’t have good anti-virus software running, you may find that malicious worms have slipped in along with the data you requested from a server on the Internet.
What’s more, if a hacker takes control of your NAT device itself, your entire network is vulnerable. And this is not beyond the capability of good hackers.
NAT is also limited because it doesn’t work with some Internet protocols that are used for, say, gaming or secure communications. And if you’re running a Web server on your network, you’ll need your NAT device also to provide “port forwarding.” Then, when a request to your server comes to the NAT device, it will know how to find the appropriate port on your server.
Firewalls, in addition to NAT, provide a whole bunch of other tools for protecting your network. First, they allow you to control connectivity to individual ports on your computer. You can specify which ports are open and which are closed and for what kinds of traffic. Firewalls also provide logging and auditing functions to help you detect problems and figure out when you’re being hacked.
The major problem with firewalls is that the stronger they are, the more expertise is required to configure them.
The bottom line: NAT provides a welcome level of security, but it should not be considered a replacement for a firewall for users who have sensitive data on their network.
Questions for Patrick Marshall may be sent by e-mail to email@example.com or firstname.lastname@example.org, or by mail at Q&A/Technology, The Seattle Times, P.O. Box 70, Seattle, WA 98111. More columns at www.seattletimes.com/columnists.