NAT Devices — Not all firewalls are built the same!

The most common type of firewall is the NAT device. NAT stands for Network Address Translation. While firewall 'purists' don't consider NAT devices, in and of themselves, to be true firewalls, these devices do protect your internal network from direct attack from Internet intruders. Most firewalls, whether they are hardware (like SOHO routers and dedicated Internet connection sharing devices) or software (like the Windows XP Internet Connection Services) provide NAT services. It's the NAT services that allow you to connect a single computer to the Internet and allows all the other machines on the network to connect to the Internet through the NAT device.

When your computer uses the TCP/IP networking protocol to connect to a computer on the Internet, it sends a request to the IP address of the Internet server. In the request sent by your computer is the source IP address (your computer's IP address) and source port number (a doorway for network communications at your IP address). What the NAT device does is replace the source IP address and source port number with the IP address on the Internet connected interface of the NAT device. The NAT device also replaces the source port number.

NAT keeps track of these changes. When the Internet server responds to your request, it returns the information to the source IP address and port number that the NAT device put into your request. When the NAT device receives the information, it looks in its "NAT table" to see what computer the information should go to. It finds your IP address and port number and returns the data to your computer.

This is how the NAT device is able to accept outgoing requests from multiple computers on your network. It changes the source IP address to be the IP address on its Internet connected interface, and uses different port numbers as the source port. It keeps track of these changes so that it can remember what computer on your network to return the response to.

NAT devices prevent Internet intruders from directly connecting to computers on your network. The reason for this is that NAT will not "route" packets from Internet computers to computers on your network. There are a number of reasons for this. One of primary reasons is that most networks use what are called "private addresses". These private addresses can not be directly connected to over the Internet. The private address ranges are:

1. 192.168.0.0 — 192.168.255.255
2. 172.16.0.0 — 172.31.255.255
3. 10.0.0.0 — 10.255.255.255

Not all the IP addresses in these ranges are valid, but you can use just about any of them on your private network. The routers that route traffic on the Internet do not know what to do with requests for IP addresses in these private IP address ranges, so they just drop the requests.

Note that while NAT devices protect the computers inside your network, they don't necessarily protect the machine running the NAT device. For example, if you run the Internet Connection Services (ICS) on a Windows XP computer, and you also run the Internet Information Services FTP or World Wide Web service on that computer, the NAT features of ICS will not block access to the Web and FTP server components on the Windows XP computer. Hackers and other bad guys can attack the ICS computer through those services. It can get really scary if you enable the Microsoft Client Service and File and Printer sharing on the Internet connected interface.

It's the NAT server that allows you to connect many PCs on your home or office network to the Internet using just a single Internet connection. The NAT server provides you some degree of security because Internet intruders are not able to directly access computers on your network unless you explicitly grant them the rights to do so via a process known as "server publishing".

NAT devices, like the Windows XP Internet Connection Services (ICS) and the Internet Connection Firewall (ICF) provide a basic level of security. When ICS is enabled, the interface connected to the Internet can receive and send information from and to the Internet. It's the receiving part that we have to watch out for because the Internet interface can receive requests from hackers who want to do bad things to your Windows XP ICS computer!

Your ICS computer is like an office building. An office building can receive visitors to any of the offices within the building. Each office in the building has personnel who perform different tasks. The ICS computer also has many offices with doors. The offices are network services and the doors used to enter these network services are called "ports". Each network service has its own door or "port" that is used to enter it. Common network services include:

• FTP Ports 20 and 21(TCP) - File Transfer Protocol used to copy files between computers
• SMTP Port 25 (TCP) - Simple Mail Transfer Protocol, used to send email
• DNS Port 53 (TCP and UDP) - Domain Name Service Protocol, used to match computer names with IP addresses
• POP3 Port 110 (TCP) - Post Office Protocol v3, used to receive email
• NNTP Port 119 (TCP) - Network News Transfer Protocol, used to post and receive messages to and from Internet newsgroups
• IMAP Port 143 (TCP) - Internet Mail Access Protocol, used to access server based email

There are a number of other ports that might be open on your ICS computer. Each door/port provides a possible entrance for an Internet hacker to get into your ICS computer. What we need to do is close all the doors! This is what the Internet Connection Firewall does. It closes all the doors on the ICS computer so that no bad guys can get into the building that is your ICS computer.

But wait! If all the doors on the Internet interface are closed, how can computers on your network send requests to Internet servers for information? Good question. The Internet Connection Firewall creates temporary doors (ports) that are used to allow requests to be sent out to Internet servers from computers on your network. That door stays open so that the Internet server can send its response back to the same door (port) the request was sent out from. That door (port) will only accept responses from the Internet server that the request was sent to; it will not accept information from any other computer. This allows the Internet server to respond to your requests for information but still prevent bad guys from using that door (port) to enter your ICS machine! Once the computer on your network and the Internet server are done with their conversation, the Internet Connection Firewall shuts the door (port) and seals it, so that it no longer exists.

While the Internet Connection Firewall does a pretty good job at what it's designed to do, it's still relatively simple stuff.

High Performance Firewalls

Lets examine some of the features you get with higher end firewalls. These high-end features aren't typically available with the low cost firewalls you see in the average SOHO/Home network environment.

Our favorite high-end firewall is the Microsoft Internet Security and Acceleration Server (ISA Server). ISA Server provides all the features of a high-end firewall. Some of those features include:

1. Application Layer data inspection
2. Intrusion Detection
3. Policy based inbound and outbound access control
4. Web caching

ISA Server is able to examine the actual contents of packets by using "Smart" application layer filters. All high-end firewalls have this capability. The firewall is able to make decisions about what to let into, and out of, the network based on data contained in the packets. For example, you might want to block web pages that have the words "hot" and "sex" in them. A firewall that can examine the data in the packets will look at the content of web pages and allow or deny them based on the words contained in the web page.

High-end firewalls can perform intrusion detection. The firewall will look at the packets arriving on the Internet connected interface and assess whether an attack is taking place. ISA Server can detect a number of common attacks and will send you an email when these attacks happen. It will also allow you to configure the firewall to automatically stop Internet access after an attack. This gives you time to respond and prevent the attacker from doing damage before you have the chance to check things out.

A very powerful feature of high-end firewalls is the ability to control access based on user, group or IP address for both inbound and outbound access. For example, your company may want to allow the Executives group the ability to access streaming media, but no one else. You can get very specific about what Internet applications users are able to use to access the Internet. You can also control what time users are able to access the Internet and prevent Internet connections for specific applications based on the time of day. Not many lower end firewalls allow you this level of control over how and what and when users can access the Internet.

Web caching is a very cool feature that can speed up access to Web pages. Imagine that you have 235 people in your office. Someone goes to home.businesswire.com and looks at the front page. Five minutes later someone else goes to home.businesswire.com and the web page comes up lightning fast! The reason for this is that the Web page for home.businesswire.com was cached (stored) on the firewall. Instead of the firewall having to retrieve the Web page from the businesswire Web server, it was able to return a copy of the Web page it stored when the first user went to Businesswire. This is a very helpful feature when the users in your home or company visit the same web pages. You'll notice a really big difference when you have a slow Internet connection, like a 56K modem or a 128K ISDN terminal adapter. And if you have to pay for the amount of data transferred over the Internet connection, it's a lifesaver!

High-end firewalls aren't for everyone. But if you depend on Internet access for your business, you should give one a try. Performance is better than what you see with low-end firewalls, and the high-end features allow you to do things you never could with a low-end firewall. If you want to know more about ISA Server,click here.

Top of Page