There are many ways to implement a firewall, but the most popular for both hardware and software routers is Network Address Translation or NAT. Most inexpensive routers use NAT as the means to share one IP address among many computers. NAT also provides a natural firewall that will protect the computers behind it from access by unauthorized users. How? The following excerpt from the Vicomsoft page linked above explains:
This means, for example, that an internal client can connect to
an outside FTP server, but an outside client will not be able
to connect to an internal FTP server because it would have to
originate the connection, and NAT will not allow that.
While looking at sharing product information, you might come across the term "stateful inspection" (sometimes abbreviated as "SPI"). What is this and why do you care?
All NAT firewalls perform a simple form of "stateful inspection" of the packets that flow through them. (If you want to know more about how this works, this part of the Vicomsoft NAT article provides a pretty clear explanation.)
This "stateful inspection" is a good thing and is what prevents unrequested data from coming into your LAN from the Internet (unless you configure the router to allow the data to come in). NAT's basic capability actually provides a good amount of protection! All properly configured NAT-based routers protect against the following types of attacks:
"SPI" based routers implement some form of advanced "stateful inspection" in their firewall. There are many methods used, but this means that the router takes a closer look at the contents of the data packet before deciding whether to pass or block it. For example, Sonic Systems' Sonicwall series of routers can provide additional protection such as:
Note: A NAT firewall does not protect you against viruses, worms, Trojans and other Internet-borne nasties. You'll need up-to-date anti-Virus software to protect against those! See security threats for more info.
"SPI" based routers usually can log detected attacks and email an alert to you so that you know that someone's trying to gain access to your LAN.
Most all routers come with some sort of ability to place a computer outside the firewall or open holes in the firewall. Use these features with care! Any port that you open in the firewall can allow unrequested data to come into your LAN from the Internet
Opening holes in your firewall can compromise your LAN's security if done incorrectly. Please read this information on Security.
Be sure to also set a strong administrator password on the routers that provide this feature. A router with a computer outside its firewall, or holes opened in the firewall, and no password is an invitation for trouble!
No matter how you protect the Internet/LAN border, you may need to add another layer of security by using a software personal firewall. These programs must be run on each computer on your LAN that you want to be protected. They monitor network activity and protect against unauthorized use of the Internet by programs that manage to get onto your LAN's computers.
You should consider adding this additional layer of security if:
These programs can be a bit of a pain to get correctly configured, but when they reveal something going on in your network that you didn't know about, you'll be glad you installed them!
Go to this page for a list of these programs.
If you're interested in learning more about NAT and firewalls, check these articles:
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|