How Broadband Routers and Firewalls Work

Many broadband routers and firewalls function primarily through the use of Network Address Translation (NAT) to hide the internal systems behind a single external IP address.
Nội dung trích xuất từ tài liệu:
How Broadband Routers and Firewalls WorkHow Broadband Routers and Firewalls WorkMany broadband routers and firewalls function primarily through the use of NetworkAddress Translation (NAT) to hide the internal systems behind a single external IPaddress. These so-called NAT routers or NAT firewalls do an adequate job of hidingresources from casual attack methods, but they do not perform advanced firewallfunctions; therefore, it is really a bit of a misnomer to call them firewalls, at least in thesense that firewalls such as the Cisco Secure PIX Firewall, Microsoft ISA Server, andCheck Point Firewall-1 products are considered firewalls. Rather, many broadbandrouters and firewalls are just NAT-based packet-filtering routers providing a degree ofprivacy, but they typically lack advanced firewall features such as stateful packetinspection (SPI), proxying of data, or deep packet inspection.Figure 5-1 shows the NAT process. Figure 5-1. How NAT Works [View full size image]The steps numbered in Figure 5-1 can be further explained as follows:1. The client initiates a connection to an external host (HostB).2. The broadband router/firewall receives the request and translates the request from the internal IP address to the address of the router/firewalls external interface. The router/firewall keeps track of this translation in a translation table.3. The packets are delivered to the external destination (HostB), which believes that the packets originated from the external IP address of the router/firewall. The external host (HostB) responds accordingly to the external IP address of the router/firewall.4. When the router/firewall receives the response from the external host, it checks its translation table for a matching outbound request.5. If it finds one, the router/firewall repackages the packet and delivers it to the internal host (HostA), which thinks that the response is from the external host (HostB).In addition, most broadband routers/firewalls are designed not to permit any unsolicitedpackets from an external host to be delivered to an internal host.Although this is generally an adequate level of protection for most home environments, itis important to understand that reliance on NAT alone to protect hosts is a false sense ofsecurity because NAT does not guarantee security in and of itself, as noted in RFC 2663Section 9.0. For example, NAT devices are as susceptible to targeted attacks, such asdenial-of-service (DoS) attacks, as non-NAT devices. NAT also provides for no actualfiltering of packets leaving the internal network; instead, it permits all outbound traffic aslong as it can be translated accordingly. Although it is a subtle difference, NAT providesmore privacy than it does security.Therefore, only when used in conjunction with other technologies can NAT serve as aneffective security mechanism. The best broadband routers/firewalls (for example, manyof the Linksys broadband firewalls) include application-level filtering, deep packetinspection, SPI, firewall hardening, and NAT.