NAT is not a firewall

Freshness Warning
This article is over 15 years old. It's possible that the information you read below isn't current.

I’m having trouble getting a Linksys USB wireless adapter to connect to my network, so I called Linksys tech support. Besides not fixing my problem, the support tech told me repeatedly that I don’t need to use a firewall because my Linksys router contains one.

Many vendors of home networking equipment advertise that their broadband routers contain a built-in firewall to enhance security. What they are referring to is a technology called Network Address Translation (NAT). A NAT router simply denies incoming traffic that it doesn’t understand. That’s one function of a firewall, but not the only one.

NAT is the technology that lets more than one computer share an Internet connection with only a single IP address. The Internet Connection Sharing feature that comes with recent versions of Windows is a NAT router. A very simplistic description of how NAT works is that none of the computers behind the router is on the public Internet. The router forwards outgoing requests from computers out to the Internet. When the server replies, the NAT router remembers which machine it was that made the request and forwards the reply back to it.

If network traffic comes into the NAT router that isn’t the result of a machine making an outbound request, the NAT router doesn’t know where to send that network traffic. So that traffic gets ignored. It doesn’t get sent anywhere at all. The fact that an outside computer can’t arbitrarily connect to computers behind the NAT router is a byproduct of how NAT works and is why the router companies call their products firewalls.

The protection offered by NAT is very limited. It will keep an attacker from sending Messenger popup spams to your computer. It will keep people from connecting to services and backdoors installed on your computer. But it won’t keep trojans, viruses, and other malicious software from connecting to the Internet from your computer. It won’t prevent unauthorized network traffic from leaving your computer and going onto the Internet. That’s what modern firewalls do.

I know someone will point out that my description of NAT is a gross simplification and isn’t entirely accurate, so I’m going to mention up front that I know that. But it does explain the concepts of NAT, why vendors call it a firewall, and why it isn’t good enough security by itself. If you want, you can read more about how NAT works, including all sorts of highly technical details about packet routing, different forms of NAT, and how Linux implements NAT. Netgear also makes a home router that also contains a true firewall, so their Web site explains the differences.

BillSaysThis
October 8, 2003 1:43 PM

But what piece of (preferably free or at least low cost) software is the appropriate addition to the router's protection?

Adam Kalsey
October 9, 2003 11:21 AM

The free version of ZoneAlarm works well, and the Pro version is only $40. Recent releases of ZoneAlarm Pro have been aimed at the consumer with privacy protections and ad-blocking features built in. But Pro is also useful if you need more control over your network settings, like allowing machines from certain subnets to access your computer but denying all others.

Trackback from Kalsey Consulting Group :: Measure Twice
October 9, 2003 11:30 AM

Personal firewall advantages

Excerpt: A NAT router cannot is protect computers on your network from the other computers on your network.

BillSaysThis
October 9, 2003 1:05 PM

Thanks Adam. The problem I had with ZA free in my last PC was a conflict with the Linksys router, but also this PC is running WinXP which has a firewall running too. Do you have any good references (mag articles or similar) that explore this topic in more detail?

Chris Vance
October 9, 2003 8:55 PM

Bill, Kevin Rose and the TechTV staff recently reviewed firewalls. Their top picks were ZoneAlarm Pro and McAfee Personal Firewall Plus. The article is at http://www.techtv.com/screensavers/products/story/0,24330,3522872,00.html I personally run the D-Link 604 (4 port, NAT, no SPI) and the free version of ZoneAlarm. I can't say that I've taken issue with anything (although I generally "unload" ZA when playing games online, and DMZ my comp when hosting (56K modem players playing Sierra's Swat3 complain of lag when playing games hosted by a firewalled host)). I don't think that ZA and the router are working the best together (could be better, I suppose), but I can't complain. What specific problem did you find with ZA free and the Linksys router?

BillSaysThis
October 10, 2003 8:52 AM

Problem was my PC could not see the Internet, mail and browser didn't work, but this was intermittent yet frequent. That PC was running Win2000 and I've recently moved to WinXP, so perhaps the builtin firewall in XP is good enough on top of the NAT?

SamF
November 17, 2003 4:41 PM

I have a question regarding Zonealarm and a NAT Router. How do you differentiate between another computer an the network and the actual internet connection? In other words how do I separate the internat connection (dsl) into the internet zone and the other computers on my network into the trusted zone? Since zonealrm sees them as the same network.

AP
November 30, 2004 2:54 AM

Unistall Zone Alarm while establishing internet connection then reinstall and it will detect the connection. Set the internet connection as "internet" when Zone Alarm asks not "trusted". Set LAN connections as "trusted".

kevin
June 18, 2005 8:20 AM

the thing is tho, wether you have a hardware firewall (router), or a software firewall, you have to allow some ports in (for games, software, or p2p)... and thats where they get you.. i currently have 5ports forwarded to my family pc and 200 to my personal pc... and thats how the intruders will get in, by finding those ports, other then that, your safe from external..and configuring those ports is a PAIN with software firewall, with linksys its REALLY easy http://members.shaw.ca/short1_main/firewall.jpg true you cant stop traffic out, like zonealarm, but if your computer has good av and spyware protection, you dont need to. https://www.grc.com/x/ne.dll?bh0bkyd2 on my linksys 4port router w/ wireless (b), all my ports are stealthed except 1, and i am thinking on getting that one stealthed to, whereas many software firewalls just close, not stealth.

Raven Lee
June 8, 2007 7:28 AM

Like Windows Firewall. *cough* You are under the assumption that because it only acts in one direction, it can't be termed a firewall. Windows Firewall is a firewall. Just as nat routers double as firewalls. Perhaps, not as complete as Kerio Personal Firewall, ZA, Cisco PiX, etc. But, a firewall. And not only are nat routers firewalls, they are very good firewalls. They stealth every port by default. "...It will keep people from connecting to services and backdoors installed on your computer. But it won’t keep trojans, viruses, and other malicious software from connecting to the Internet from your computer. It won’t prevent unauthorized network traffic from leaving your computer and going onto the Internet. That’s what modern firewalls do...."

Saurabh
April 4, 2008 2:16 AM

If one is conducting online firewall tests(ShieldsUp or pcflank) from behind a NAT router ,are results affected? How to get around it?(I use Netveda as software firewall).

Your comments:

Text only, no HTML. URLs will automatically be converted to links. Your email address is required, but it will not be displayed on the site.

Name:

Not your company or your SEO link. Comments without a real name will be deleted as spam.

Email: (not displayed)

If you don't feel comfortable giving me your real email address, don't expect me to feel comfortable publishing your comment.

Website (optional):

Follow me on Twitter

Best Of

  • How not to apply for a job Applying for a job isn't that hard, but it does take some minimal effort and common sense.
  • Movie marketing on a budget Mark Cuban's looking for more cost effective ways to market movies.
  • California State Fair The California State Fair lets you buy tickets in advance from their Web site. That's good. But the site is a horror house of usability problems.
  • Customer reference questions. Sample questions to ask customer references when choosing a software vendor.
  • Comment Spam Manifesto Spammers are hereby put on notice. Your comments are not welcome. If the purpose behind your comment is to advertise yourself, your Web site, or a product that you are affiliated with, that comment is spam and will not be tolerated. We will hit you where it hurts by attacking your source of income.
  • More of the best »

Recently Read

Get More

Subscribe | Archives

Recently

Assumptions and project planning (Feb 18)
When your assumptions change, it's reasonable that your project plans and needs change as well. But too many managers are afraid to go back and re-work a plan that they've already agreed to.
Feature voting is harmful to your product (Feb 7)
There's a lot of problems with using feature voting to drive your product.
Encouraging 1:1s from other managers in your organization (Jan 4)
If you’re managing other managers, encourage them to hold their own 1:1s. It’s such an important tool for managing and leading that everyone needs to be holding them.
One on One Meetings - a collection of posts about 1:1s (Jan 2)
A collection of all my writing on 1:1s
Are 1:1s confidential? (Jan 2)
Is the discussion that occurs in a 1:1 confidential, even if no agreed in the meeting to keep it so?
Skip-level 1:1s are your hidden superpower (Jan 1)
Holding 1:1s with peers and with people far below you on the reporting chain will open your eyes up to what’s really going on in your business.
Do you need a 1:1 if you’re regularly communicating with your team? (Dec 28)
You’re simply not having deep meaningful conversation about the process of work in hallway conversations or in your chat apps.
What agenda items should a manager bring to a 1:1? (Dec 23)
At least 80% of a 1:1 agenda should be driven by your report, but if you also to use this time to work on things with them, then you’ll have better meetings.

Subscribe to this site's feed.

Contact

Adam Kalsey

Mobile: 916.600.2497

Email: adam AT kalsey.com

Twitter, etc: akalsey

Resume

PGP Key

©1999-2019 Adam Kalsey.