Router Question: NAT vrs Firewall function?

[sswilson]

Got a question for the network/router gurus out there. (Please take it easy on me if my assumptions are completely Out To Lunch..... ;) ).

In layman's terms, my understanding is that using a router offers a form of hardware firewall based solely on the NAT features. If I've got this figured out properly (this is where I might be completely out to lunch) is that NAT performs firewall duty for incoming requests mostly because it doesn't know where to send information it isn't expecting and thus just throws it out rather than deciding on it's own what internal device to send it to.... is that basically the way it works?

If this is so, my main question then is WRT routers (like some SMC ones) which also have a firewall setting...... is this different from the standard NAT function, or would disabling it just put the router into what was formally known as DMZ on older routers?

[JD]

From my understanding, all NAT really does is mask all your internal IP's (typically 192.168.x.x), so that the outside world doesn't see them. You're external IP (from your ISP/modem) is visible to the world regardless, but the outside has no idea how to map that to your specific computers.

A SPI (stateful packet inspection) firewall actually analyzes packets to determine whether or not you have requested them, or have an open connection between you and somebody else. If not, it gets dropped as it's deemed unwanted.

[Perineum]

In my opinion, you're correct about NAT, it doesn't know where to send incoming information if it hasn't been requested already so it would then drop it, which is in a sense a natural firewall type effect. None of the computers on the LAN are pingable, just the router.

Some routers will have additional firewall on top of that, like SPI which would filter the allowed content that was already going to be passing NAT.

Removing the firewall should not act like any sort of DMZ because it's impossible for the router to know which computer it was to put in DMZ, unless it started broadcasting to every computer on the network at which point it should be quickly taken out and promptly shot.

I'm interested in hearing other replies...

[sswilson]

Quote:

Originally Posted by Perineum

In my opinion, you're correct about NAT, it doesn't know where to send incoming information if it hasn't been requested already so it would then drop it, which is in a sense a natural firewall type effect. None of the computers on the LAN are pingable, just the router.

Some routers will have additional firewall on top of that, like SPI which would filter the allowed content that was already going to be passing NAT.

Removing the firewall should not act like any sort of DMZ because it's impossible for the router to know which computer it was to put in DMZ, unless it started broadcasting to every computer on the network at which point it should be quickly taken out and promptly shot.

I'm interested in hearing other replies...

That's how my thinking is currently going, but I wanted to be sure that disabling the "firewall" function wouldn't do a full "dmz". I've seen some routers that don't play nice with certain apps even when you try to open the ports they use.... I suspect it's something to do with the extra firewall function over and above the standard nat features.

[Perineum]

Yeah I'm pretty sure it wouldn't do a full DMZ as that would be an absolute nightmare of traffic. It should just stop SPI and the NAT should work as it would normally. The only times I've ever seen DMZ it basically just gave you the ip address of one machine that could be entered in... and when done basically dumps all uninvited incoming data to that IP address. Requested stuff would still go to the internal ip address of the device that requested it.

[Spblue]

NAT are and firewall two different functions, but it's fairly easy to confuse the two. You obviously did you homework and you are correct that just enabling NAT without any additional firewall function will block all incoming connections by default. I'll try to explain a bit further, so read on if you're interested.

NAT is meant to share a single public IP address between multiple machines. As side effects, it breaks all servers (listening ports) on devices behind the NAT, and as jdrom17 said, it masks your internal machines since only your public IP is visible. For NAT to work, the router has to keep track of all connections in its memory. For example, if someone is browsing the web at a computer while another family member is playing an online game through XBOX Live, the router has to know where to send the incoming information (so it sends the web pages to the computer, and the data from your online game to the XBOX).

So whenever a device behind a NAT establishes a connection, the router plays a trick and pretends that it is the one making the connection. The server on the other side will always think the connection comes from the router itself. The router then relays the traffic to the client that established the connection. This scenario makes it impossible to host, say, a web server on a NATed machine, because since the connection isn't being initiated by the client and the router isn't running the web server itself, the router has no clue where to send an incoming request and just drops the packet.

That's why NAT, by default, will not allow any incoming connections even without a firewall on. Now, to solve this, routers have an option to act as a server and fake being the client on your local network. So when web request comes in, it will accept the connection and then connect to your server to relay the information. This time, it's your server that will always think that the client is your router instead of the other way around (there are ugly routing gimmicks to get around this). Typically, for this to work, you'll have to configure virtual servers or a DMZ on a router. On home routers, the DMZ term usually means a single machine where to send all new incoming connections by default (ports 1-65535).

That's why, unless you explicitly configure a DMZ, the router will not route any incoming connections, even with the firewall off. One thing you have to be careful about is that it only works for incoming connections. If you get infected by a trojan, you computer will gleefully become part of a spam botnet without any trouble, even with NAT.

Now, as for the firewall... Since NAT already requires routers to keep track of all connections (stateful routing), it's rather easy to offer a firewall on the routers. Firewalls work even without NAT. You won't see this often on home routers, since it requires some routing knowledge to setup, but most home routers support it. For this to work, your ISP needs to route to you a block of public IPs. For example, Teksavvy (my ISP) will give you a block of 6 IPs for $10 per month. With this setup, you don't need NAT, but enabling the firewall is still a good idea. You can still choose to block incoming connections by default, but unlike NAT, you don't have to. It also makes is possible to enable some protocols that don't work well with NAT. This second option is much better from a networking standpoint, but since IPv4 space is restricted and NAT is fairly dummy-proof, ISPs always recommend NAT.

Hope my ramblings were somewhat understandable.

[BrainEater]

Yep.

A bit wordy but bang on.

-------------

NAT 's basic function is to 'remap' one IP address into another .

It only provides 'firewall-like' operation based on the fact that clients outside the network cannot initiate communication , because the 'map' is created by the clients inside the network......however this does not prevent unauthorized communication once the map has been made.


A firewall on the other hand , is designed to specifically block all unauthorized communication . This function occurs before NAT (outside the network). It's another layer of security.

--------

So to answer your question , non-firewalled NAT is not the same as a 'DMZ' . DMZ actually provides a 'hole' through both firewall and NAT.

It's worth noting that most 'home routers' don't have a true DMZ . Here's a quote from wikipedia :

" Some home routers refer to a DMZ host. A home router DMZ host is a host on the internal network that has all ports exposed, except those ports forwarded otherwise. By definition this is not a true DMZ (Demilitarized Zone), since it alone does not separate the host from the internal network. "

[Spblue]

Quote:

Originally Posted by BrainEater

Yep.

A bit wordy but bang on.

Wordy, me? Coming from a guy with 3 years long worklogs, I should feel honored. I stumbled on your ThinkTank2 worklog last month at about midnight. I just *had* to read the whole thing before going to bed and I had to be up for work at 5am. Which means I got oh, a good 2 hours of sleep. Long winded indeed.

[sswilson]

Quote:

Originally Posted by Spblue

Wordy, me? Coming from a guy with 3 years long worklogs, I should feel honored. I stumbled on your ThinkTank2 worklog last month at about midnight. I just *had* to read the whole thing before going to bed and I had to be up for work at 5am. Which means I got oh, a good 2 hours of sleep. Long winded indeed.

Hehehe.... +1 :)


Thanks for all of the info folks. Pretty well satisfied me that my thinking was going in the right direction, but I wanted to be sure.

[Phobia]

Quote:

Originally Posted by sswilson

Hehehe.... +1 :)


Thanks for all of the info folks. Pretty well satisfied me that my thinking was going in the right direction, but I wanted to be sure.

were you thinking of MW2 when you researched this? I still don't understand the difference of mw2's open, moderate and restricted NATs.