One of the reasons that people buy a router, aside from sharing their Internet connection, is to protect their LAN computers from Internet-based attacks. The primary means of protection is the firewall function that a router or proxy provides.
What is a firewall?
The ICSA Firewall Buyers Guide provides a good definition:
Put simply, a firewall is a mechanism used to protect a trusted network from an untrusted network, usually while still allowing traffic between the two.
There are many ways to implement a firewall, but the most popular for both hardware and software routers is Network Address Translation or NAT.
Most inexpensive routers use NAT as the means to share one IP address among many computers.
NAT also provides a natural firewall that will protect the computers behind it from access by unauthorized users.
NAT automatically provides firewall-style protection without any special set-up. That is because it only allows connections that are originated on the inside network.NAT automatically provides firewall-style protection without any special set-up. That is because it only allows connections that are originated on the inside network.
This means, for example, that an internal client can connect to an outside FTP server, but an outside client will not be able to connect to an internal FTP server because it would have to originate the connection, and NAT will not allow that.
Check out those packets!
While looking at sharing product information, you might come across the term “stateful inspection” (sometimes abbreviated as “SPI”).
What is this and why do you care?
All NAT firewalls perform a simple form of “stateful inspection” of the packets that flow through them.
This “stateful inspection” is a good thing and is what prevents unrequested data from coming into your LAN from the Internet (unless you configure the router to allow the data to come in). NAT’s basic capability actually provides a good amount of protection! All properly configured NAT-based routers protect against the following types of attacks:
- Port Scans
- WinNuke (and other Port 139-based attacks)
- Smurf (protection against LAN Clients being used as part of the “Amplifier network”)
- Connection or service requests that did not originate from the LAN side of the firewall.
“SPI” based routers implement some form of advanced “stateful inspection” in their firewall. There are many methods used, but this means that the router takes a closer look at the contents of the data packet before deciding whether to pass or block it.
For example, Sonic Systems’ Sonicwall series of routers can provide additional protection such as:
- blocking Java, ActiveX, and Cookie portions of downloaded web pages
- blocking access to WAN Proxy servers
- blocking “IP Spoofing” attacks
- blocking malformed IP packet attacks such as “Ping of Death”, and variants such as “Teardrop”, “Bonk”, and “Nestea”
blocking SYN flood and LAND attacks
Note: A NAT firewall does not protect you against viruses, worms, Trojans and other Internet-borne nasties. You’ll need up-to-date anti-Virus software to protect against those! See security threats for more info.
“SPI” based routers usually can log detected attacks and email an alert to you so that you know that someone’s trying to gain access to your LAN.
Open with Care!
Most all routers come with some sort of ability to place a computer outside the firewall or open holes in the firewall. Use these features with care! Any port that you open in the firewall can allow unrequested data to come into your LAN from the Internet
Opening holes in your firewall can compromise your LAN’s security if done incorrectly. Please read this information on Security.
Be sure to also set a strong administrator password on the routers that provide this feature. A router with a computer outside its firewall, or holes opened in the firewall, and no password is an invitation for trouble!
Visit the Secure your LAN area for more info on what you need to do to have a healthy and happy LAN.
This info in particular is important if you are doing anything with your router’s firewall.
No matter how you protect the Internet/LAN border, you may need to add another layer of security by using a software personal firewall. These programs must be run on each computer on your LAN that you want to be protected. They monitor network activity and protect against unauthorized use of the Internet by programs that manage to get onto your LAN’s computers.
You should consider adding this additional layer of security if:
- You are opening/forwarding/mapping ports to any LAN computers
- You have a computer running in DMZ (outside your NAT firewall)
- You have been a victim of an email attachment virus attack, i.e. “I Love You”, Kournakova, etc.
These programs can be a bit of a pain to get correctly configured, but when they reveal something going on in your network that you didn’t know about, you’ll be glad you installed them!
Go to this page for a list of these programs.
If you’re interested in learning more about NAT and firewalls, check these articles: