Earthweb.com Practically Networked Home Earthweb developer.com HardwareCentral earthwebdeveloper CrossNodes Datamation
Welcome to PractiallyNetworked
Product Reviews

 • Routers
 • Hubs/Switches
 • Wireless Gateway
 • Wireless AP
 • Wireless NIC
 • Network Storage
 • Print Servers
 • Bluetooth Adapters
Troubleshooting
& Tutorials

 • Networking
 • Internet Sharing
 • Security
 • Backgrounders
 • Troubleshooting
    Guides

 • PracNet How To's
User Opinions
Practicallynetworked Glossary

 Find a Network Term  
 
Forums
About
Jobs
Home

  Most Popular Tutorials

• Microsoft Vista Home Networking Setup and Options
The most daunting part of upgrading to Windows Vista may be trying to figure out where in the layers of menus the networking and file-sharing options are hidden.

• Do It Yourself: Roll Your Own Network Cables
It may not be something you do everyday, but having the supplies and know-how to whip up a network cable on the spot can be very handy.

• Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router and by extension, your network is as secure as possible.

  Most Popular Reviews

• Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.

• Iomega StorCenter Network Hard Drive
Iomega's fourth generation StorCenter Network Hard Drive brings many of the features found in higher-end storage devices down to an attractive price.

• MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.



One of the reasons that people buy a router, aside from sharing their Internet connection, is to protect their LAN computers from Internet-based attacks.  The primary means of protection is the firewall function that a router or proxy provides. What is a firewall?  The ICSA Firewall Buyers Guide provides a good definition:
Put simply, a firewall is a mechanism used to protect a trusted network from an untrusted network, usually while still allowing traffic between the two.

There are many ways to implement a firewall, but the most popular for both hardware and software routers is Network Address Translation or NAT.  Most inexpensive routers use NAT as the means to share one IP address among many computers.   NAT also provides a natural firewall that will protect the computers behind it from access by unauthorized users.  How?  The following excerpt from the Vicomsoft page linked above explains:

NAT automatically provides firewall-style protection without any special set-up. That is because it only allows connections that are originated on the inside network. 

This means, for example, that an internal client can connect to an outside FTP server, but an outside client will not be able to connect to an internal FTP server because it would have to originate the connection, and NAT will not allow that.   
 

Check out those packets!

While looking at sharing product information, you might come across the term "stateful inspection" (sometimes abbreviated as "SPI"). What is this and why do you care?

All NAT firewalls perform a simple form of "stateful inspection" of the packets that flow through them. (If you want to know more about how this works, this part of the Vicomsoft NAT article provides a pretty clear explanation.)

This "stateful inspection" is a good thing and is what prevents unrequested data from coming into your LAN from the Internet (unless you configure the router to allow the data to come in).  NAT's basic capability actually provides a good amount of protection!  All properly configured NAT-based routers protect against the following types of attacks:

  • Port Scans

  • WinNuke (and other Port 139-based attacks)

  • Smurf (protection against LAN Clients being used as part of the "Amplifier network")

  • Connection or service requests that did not originate from the LAN side of the firewall.

"SPI" based routers implement some form of advanced "stateful inspection" in their firewall. There are many methods used, but this means that the router takes a closer look at the contents of the data packet before deciding whether to pass or block it.  For example, Sonic Systems' Sonicwall series of routers can provide additional protection such as:

  • blocking Java, ActiveX, and Cookie portions of downloaded web pages

  • blocking access to WAN Proxy servers

  • blocking "IP Spoofing" attacks

  • blocking malformed IP packet attacks such as "Ping of Death", and variants such as "Teardrop", "Bonk", and "Nestea"

  • blocking SYN flood and LAND attacks

Note: A NAT firewall does not protect you against viruses, worms, Trojans and other Internet-borne nasties.  You'll need up-to-date anti-Virus software to protect against those! See security threats for more info.

"SPI" based routers usually can log detected attacks and email an alert to you so that you know that someone's trying to gain access to your LAN.


Open with Care!

Most all routers come with some sort of ability to place a computer outside the firewall or open holes in the firewall.  Use these features with care!  Any port that you open in the firewall can allow unrequested data to come into your LAN from the Internet

attentionsml.gif (1034 bytes)Opening holes in your firewall can compromise your LAN's security if done incorrectly. Please read this information on Security.

Be sure to also set a strong administrator password on the routers that provide this feature.  A router with a computer outside its firewall, or holes opened in the firewall, and no password is an invitation for trouble!

Visit the Secure your LAN area for more info on what you need to do to have a healthy and happy LAN.  This info in particular is important if you are doing anything with your router's firewall.


Personal Firewalls

No matter how you protect the Internet/LAN border, you may need to add another layer of security by using a software personal firewall. These programs must be run on each computer on your LAN that you want to be protected.  They monitor network activity and protect against unauthorized use of the Internet by programs that manage to get onto your LAN's computers.

You should consider adding this additional layer of security if:

  • You are opening/forwarding/mapping ports to any LAN computers

  • You have a computer running in DMZ (outside your NAT firewall)

  • You have been a victim of an email attachment virus attack, i.e. "I Love You", Kournakova, etc.

These programs can be a bit of a pain to get correctly configured, but when they reveal something going on in your network that you didn't know about, you'll be glad you installed them!

Go to this page for a list of these programs.


Learn more!

If you're interested in learning more about NAT and firewalls, check these articles:



Earthwebnews.com Earthweb developer.com HardwareCentral earthwebdeveloper CrossNodes Datamation


Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums