Can someone explain, in simple English, what firewall options one should select to feel assured of being adequately protected? Also, perhaps you can give me a crash-course in how a PC communicates with the Internet? What do I need to know about IP, TCP, UDP, etc.? Last, is there a difference between a port and a, hmm, protocol, I think it is? When I go to set up a rule, I think I have the choice to block a port or a protocol, IIRC.
Please help…
The simplest way to set up a firewall is to block everything and then carefully unblock certain ports and protocols as needed by the applications you want to run. The details depend on exactly which firewall you’re running.
A port is analogous to a separate line coming into your computer. You have one TCP/IP connection, but lots of different apps need to use it, so they all use separate ports. Most apps will use two ports, talking on one and listening on another. Many choose their ports dynamically, so they’ll just pick two free ports, send an outgoing request on one and tell the recipient of that request they’ll be listening on the other for the response. Some applications and protocols have standard ports defined and reserved, especially things like servers so the outside world always knows what port they’re listening on.
A protocol is analogous to the language you speak. Protocols include things like HTTP (for web) and SMTP (for mail) which simply define how a request and response are formated so the applications can understand one another. Lower level protocols like TCP and UDP are used by higher level protocols for basic communication services. Many protocols are tied to default ports. For example, HTTP servers typically listen for incoming queries on port 80. SMTP typically listens on port 25. Any given HTTP or SMTP server can choose to listen to some non-default port, but that restricts how easily it can be accessed. Many firewalls will block incoming traffic on port 80 and port 25 if the local machines are not running web and mail servers, and this provides good security against something like a default Windows install inadvertantly exposing a computer through IIS (web server) when the user had no intention of running a web server. However, nothing stops a malicious program like a trojan from setting up web services on another port. Unless you’re very careful about what applications/services are running and what ports they’re using, you’re better off using a very restrictive firewall rule set and only unblocking things you know you specifically need.
Based on your questions, I’m assuming you’re an end user, probably with your pc at home, running no services (such as hosting a web site or an email server).
If you have broadband connectivity (DSL or cable), the odds are that your modem/router (the box your service provider put in that sits between you and the socket in the wall that leads to the internet) already has NAT. You can visit their web site, or call and ask them. If so, NAT is as much firewall as you need and you’re fine on that front.
Your bigger concerns are probably viruses, spam, etc., and these things aren’t blocked by firewalls.
Yes, this is for a home system. And yes, you may have hit on something here. Your suggestion may have some merit, but this doesn’t explain the full picture of whatr’s going on here. If you are correct, then my firewall is just a little extra added protection against hackers, I guess…just in case a hacker gets through the NAT?
a) Can you clarify what a NAT will and will not do? Can it prevent others from accessing my PC - whether to install some nasty file or to search and steal passwords and/or credit card info? Can it stop those annoying pop-ups? How does NAT know not to block a MacAfee Virus auto-download, for example…does it have a long list things deemed safe?
b) I should ask: Are you sure the NAT isn’t just protecting their server while allowing anything else to pass through? For example, I once thought my internet provider would be screening for viruses via emails because THEY wouldn’t want these nasties coming through their server. But, I later learned that (a) yes the provider is protected from viruses but (b) emails just pass through to the end-user…or, is this a bad example because viruses are sent as attachments in this case?
c) One last thought: The NAT does not prevent me from the risk of some rogue or hostile cable employee from hacking to my computer, right? Hmm…
I’ll check back for your reply. In the meantime, I will check with my provided…
I’m not the expert Bill is, but I’ll give it a go since this seems to be falling off the page.
NAT is “network address translation”. You assign non-routable IP addresses to the machines on your LAN and point them to a gateway machine (computer or router) that performs NAT. Only the NAT box is really “on the Internet” since only it has a routable IP address. This means that when some bad guy scans your provider’s IP space looking for vulnerable machines, they can’t scan your computers because they can’t reach them. They can only scan the NAT box. This protects you from a lot of unsolicited attacks like script kiddies port scanning for machines vulerable to the exploit du jour. It doesn’t protect you from attacks you invite in by opening a virus-infected file, inadvertantly installing a trojan or spyware, or clicking on a website that exploits some vulnerability in your browser.
Note that for this to work, you have to make sure the box running NAT is secure. In a lot of cases, people run a stripped-down Linux box with IPTables or IPChains which acts as a firewall and NAT. As long as that computer is used for nothing else, you can make it pretty secure because you’re not exposing a bunch of holes like webservers or telnet access. In many cases people perform NAT on a router instead of a computer, so you just have to take steps to turn off telnet capabilities and set access passwords to make it secure. If someone gains access to the NAT box, they can compromise the rest of your network, but the idea is that it’s easier to secure a box which does a limited number of things like NAT instead of trying to secure a bunch of Windows boxes that have hundreds of random applications and services running.
Running NAT on your box does nothing to protect your provider’s server. You’re hiding your LAN behind a gateway you run.
It depends on where you install your NAT and how much access the cable company has. If it were me, I’d leave my cable modem in the default setup and connect a NAT box behind it. The cable company may be able to gain access to the cable modem, but they should not be able to get into your NAT box, much less get past the NAT to the LAN behind it. If you count on the cable modem itself to perform NAT, then it’s possible the cable company could gain access. As noted above, you have to secure the box running NAT, and the cable company may have back doors into the hardware they provide in order to facilitate support.
For the most part, what micco said.
A few additions:
Service Provider Equipment and NAT
The odds are that your provider has put a box in your house (likely 8" x 8" by 2", but it could be any size) that your computer plugs into and this box plugs into some jack that goes to the internet. This is a single box which has a few functions. The most important function in our current context is that it likely does NAT. micco gave a good description of what NAT is and does. NAT gives you an IP address that noone on the Internet can see. When you go to some web site, you’re really going to your NAT device, which then goes to the web site, receives the response and sends it back to you. So from the web site’s point of view, it was visited by the NAT box.
Hardening
What micco said about protecting (referred to as “hardening” in the biz) NAT boxes (and network-connected devices in general) is true, but not really applicable in your case. You likely have only one box, and this box is very specialized to it’s purpose. It’s not configurable by anyone except your service provider. In fact, you can’t even get into it, as your provider will not give you the password. It’s their property, and the way they see things, your internet service begins at the jack that comes out of this device and is connected to your computer.
What a firewall will protect against
NAT is a type of firewall. NAT or any other firewall will protect you against:
Bad guys connecting to your computer and doing malicious stuff, such as stealing your info or destroying your computer. This includes automated worms, such as Code Red (to name one you may have heard of).
What a firewall will not protect against
Firewalls won’t keep you from getting viruses. These are spread mainly by email and downloads of infected programs. The best thing you can do to protect yourself from these is to keep your computer up-to-date with security patches on a regular basis. And of course, don’t run ANYTHING on your computer that you don’t have 100% confidence is clean. When someone sends you that file “hot-lesbians-in-love.exe”, don’t touch it; it’s a trap.
Firewalls won’t keep you from getting hit by pop-ups. These are spread mainly by ugly web sites that install browser plug-ins. The thing is, you’re asked if you want to install them, so any time you see a dialog box asking if you want to install something, ALWAYS respond no.
If you do the basic things I’ve outlined above (get NAT, keep your security patches up to date, don’t run anything you don’t trust, don’t accept any plugin installations), you will likely NEVER run into a security problem. There are of course exceptions, but they are rare. I for example, only do the above and have never had a virus or pop-up or break-in.
What your provider can maliciously do
Well, the fact is, your provider is the only one who can get past your NAT firewall, so technically, you are vulnerable to them. But practically, it’s highly unlikely they would do anything, especially if they’re of any size and reputation. If you are seriously concerned about this, you’ll want to get a second firewall that only you control and put it in place, but for my money that’s a bit extreme.
SA checking in.
For clarification NAT is not a firewall. Like the name implies NAT is network address translation. I can have a box doing utterly transparent NAT that will simply map 1 ip to another, without preforming any sort of firewalling functions. A firewall, on the other hand is a piece of hardware/software that explicitly denies access to a network resource by dropping unwanted data into the bit bucket. Hoping that you and a whole bunch of other folks are NAT’d to one public IP is just security through obscurity, and on most highspeed setups that I’ve seen this doesn’t even happen either. Instead the magic little box is usually just a transparent bridge, which won’t do a single bit of packet filtering.
In short get a firewall.
I don’t know what an SA is, but you can check my credentials below. In the context of this thread, which should be obvious to anyone who’s ever touched a router or security device, NAT is a firewall. period.
Sorry to harp on this, but BMU, the phrase “security through obscurity” means something different than what you think it does.
Security through obscurity is not when you hide something from someone. Hell, by that definition, encrypting a file is security through obscurity.
Security through obscurity refers to hiding how a system works and then treating that non-disclosure as part of the security system itself. For example, if you hide your key under the mat, it’s security through obscurity because you’re relying on the burgler not knowing where the key is rather than the strength of the lock to protect you.
In the topic at hand, there’s nothing obscure about the concept of NAT. It’s a well-accepted, well-established security system that’s been tested by time.
(also, as a general rule, the term “security through obscurity” is used when referring to cryptographic algorithms, most typically encryption algorithms. Therefore, NAT is much further removed from being an applicable application of the term.)
There are many places you can read more about the concept of security through obscurity; Wikipedia is as good as any.