Is a NAT Router Suggested?

Thanks for the link. I was understanding NAT along these lines, so I'm not sure why it's inaccurate to call it a security feature.

 

From the GRC article:

Since the NAT router links the internal private network to the Internet, it sees everything sent out to the Internet by the computers on the LAN. It memorizes each outgoing packet's destination IP and port number in an internal "connections" table and assigns the packet its own IP and one of its own ports for accepting the return traffic. Finally, it records this information, along with the IP address of the internal machine on the LAN that sent the outgoing packet, in a "current connections" table.

When any incoming packets arrive at the router from the Internet, the router scans its "current connections" table to see whether this data is expected by looking for the remote IP and port number in the current connections table. If a match is found, the table entry also tells the router which computer in the private LAN is expecting to receive the incoming traffic from that remote address. So the router re-addresses (translates) the packet to that internal machine and sends it into the LAN.

From the UM link I posted above:

Contrary to popular belief, NAT does not necessarily hide the identity of hosts behind it. Using passive analysis of TCP/IP and application-layer protocols, it's possible to gain very detailed information about the internal network. Subtleties in the TCP/IP stack allow anyone who can see external traffic to fingerprint the operating systems of internal hosts. Differences in initial TCP sequence numbers, IP options, and IP IDs are more than enough information to enumerate hosts on the internal network. NAT only superficially hides internal hosts.

Beyond gaining information about the operating systems in use behind the NAT device, a savvy attacker can also deduce the internal network architecture. Since NAT only operates at the IP level, an attacker
could use low IP time-to-live values to solicit ICMP TTL Exceeded messages and gain detailed information about the internal routing infrastructure. Using these techniques, an attacker can gain almost as much information as if there was no NAT device.

Notice what I highlighted in bold. I also believe what GRC is describing as NAT is actually SPI. They are indeed two separate features and as I stated previously, are not always both present on routers.

 

I can't argue this technically as it's "above my pay grade", but for me the question is does using a NAT router raise the cost to an attacker? Remember we're talking about home networks which have little or no appeal to hackers to begin with. If using a NAT router makes it even a little bit harder for a hacker then it's better than not using one. And even if SPI is only partially implemented in a home router it's still better then not having it, don't you think?

 

Again from the UM article:

The well-known security adage "security through obscurity is no security at all" is certainly applicable to NAT. IPv6, whose biggest initial win is a significant increase of address space, has no concept of NAT since no additional security is gained.

It think they describe NAT adequately using the term "secuirty through obsurity."

Bottom line - if your concern is security, concentrate on your firewall(router and PC software based), AV/anti-malware software, that your browser is properly configured for security, and that all your operating system and application software is up to date.

For the average home user, NAT will do no harm security wise. It will also give marginal security protection at best.

 

One final comment and I am done. NAT and stateful inspection are mutually exclusive on your router. This will probably throw everyone in a dizzy.

To quote my Netopia 3347 router admin manual:

"Stateful inspection is a feature that prevents unsolicted inbound access when NAT is disabled. Stateful inspection can be enabled on a WAN inteface whether NAT is enabled or not."

To get a grip on this, stateful inspection is a feature of firewall portion of the router as it is on corresponding software firewalls.

 

How about these securitywise:

Zyxel P-660HN-T1A
I have this one. Cheap, includes a modem. Some kind of firewall with SPI but I have to turn the firewall off if i want to open holes for ports eg for torrents and also some game wanted open ports. That is, there isn't possibility to open ports at the firewall side, only at the router. And i suppose the firewall's SPI isn't that good in this el cheapo box, right?
Says it wants JAVA for configuration, but but seems to work without too.

Buffalo WHR-G300N v2
I also own this one. This is just a router and firewall, without a modem. Requires JAVA for configuration, that I don't like to use. Some kind of SPI also, but i suppose not very good.

Asus RT-N56U
Recommended by many, but how about securitywise? Costs about a hundo.

Recommendations in about 100 bucks or so price class?

 

I wouldn't worry too much about it. No, a router does not a secure network make. However, it will drop unsolicited incoming connections regardless of what's going on on your computer unless you configure it otherwise. So if someone does something that disables the PC firewall, or mis-configures it, then you won't have to worry as much.

So I think you should just pick the one you like, set a good admin password, disable remote administration and such, and leave things like SPI to the PC firewall. For regular home use, this is plenty.

The ASUS does look like a good one, and if anyone gets a smartphone, tablet, or laptop then the wireless will be useful.

 

For reliability, I chose to use an entry level 'Business Level' 'Wired' Router which is pricey. So far this Router has been performing well for about 2 years.

 

Can you say more about what a "business level" router is? The routers available in stores like Best Buy are becoming more powerful all the time. When I bought my last router I wanted something more capable, but I didn't have a clear sense of where the line was between "home" and "business" class products. It seems to me that one difference is business products are designed to handle more traffic, but that doesn't make them a better choice for the home user.

 

I have a ZyXEL ZyWALL USG 20 Unified Security Gateway.

http://www.zyxel.com/products_services/zywall_usg_200_100_50_20w_20.shtml?t=p#

 

i have a juniper srx100b. i used to use a mikrotik routerboard rb450g, which is extremely powerful and very, very affordable.