April 26, 2011, 9:39 p.m.
posted by andy
How Broadband Routers and Firewalls Work
Many broadband routers and firewalls function primarily through the use of Network Address Translation (NAT) to hide the internal systems behind a single external IP address. These so-called "NAT routers" or "NAT firewalls" do an adequate job of hiding resources from casual attack methods, but they do not perform advanced firewall functions; therefore, it is really a bit of a misnomer to call them firewalls, at least in the sense that firewalls such as the Cisco Secure PIX Firewall, Microsoft ISA Server, and Check Point Firewall-1 products are considered firewalls. Rather, many broadband routers and firewalls are just NAT-based packet-filtering routers providing a degree of privacy, but they typically lack advanced firewall features such as stateful packet inspection (SPI), proxying of data, or deep packet inspection.
Figure shows the NAT process.
How NAT Works
The steps numbered in Figure can be further explained as follows:
In addition, most broadband routers/firewalls are designed not to permit any unsolicited packets from an external host to be delivered to an internal host.
Although this is generally an adequate level of protection for most home environments, it is important to understand that reliance on NAT alone to protect hosts is a false sense of security because NAT does not guarantee security in and of itself, as noted in RFC 2663 Section 9.0. For example, NAT devices are as susceptible to targeted attacks, such as denial-of-service (DoS) attacks, as non-NAT devices. NAT also provides for no actual filtering of packets leaving the internal network; instead, it permits all outbound traffic as long as it can be translated accordingly. Although it is a subtle difference, NAT provides more privacy than it does security.
Therefore, only when used in conjunction with other technologies can NAT serve as an effective security mechanism. The best broadband routers/firewalls (for example, many of the Linksys broadband firewalls) include application-level filtering, deep packet inspection, SPI, firewall hardening, and NAT.