Broadband Modem NAT Firewalls

Discussion in 'other firewalls' started by Empath, Sep 28, 2007.

Thread Status:
Not open for further replies.
  1. Empath

    Empath Registered Member

    Joined:
    Nov 13, 2002
    Posts:
    178
    Having switched a few months ago from cable internet to dsl, I assumed the modem was basically simply a dsl modem. I've discovered that it seems to be more.

    The modem is an Actiontec GT701 dsl modem. Having explored it's configuration area, along with it's built-in documentation, it seems to have a NAT firewall. I don't have a need for a router otherwise, but had considered installing one in order to gain the NAT capability. Now, knowing the modem can handle it, I'm just curious as to whether anyone has made use of or formed opinions about any similarly featured modem.
     
  2. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Most DSL modems shipped from the ISP these days are indeed gateway appliances...performing router functions using NAT. It's a good thing.

    I won't install or support any PC unless it's behind NAT..even if it's just a single PC. Over the many years of working in IT...I've noticed a clear and unmistakable correlation between computers that were directly connected to a broadband "bridged" modem (meaning..the PC gets a public IP address)..and being infested.

    Computers that were behind NAT...had noticably less issues. A virus or worm outbreak across the internet that attacks Windows vulnerabilities...PCs behind NAT are far less likely to be hit..as they aren't directly touchable. MS Blaster for example.
     
  3. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    Quick question.

    For future expansion and in order to make sure I got a non software Firewall that blocks inbounds I got a NAT Router from my dsl and since I currently have no wireless PC. I turned off the wireless at the Router. Left the firewall alone. Am I still protected? I saw no reason to have the wireless on if it was not in use? :doubt:

    I too have discovered what you both refer to, that dsl providers give customers single user modems that stop unsolicited inbounds :thumb: Is it only dsl or does my recently obtained Cable modem do the same? I guess I could check the logs. :cautious:
     
  4. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Turning off the wireless component of your router would not lessen your security in any degree. Matter of fact...it would strengthen it..as you would not have to worry about wireless security or anyone trying to leach off of your connection.
     
  5. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I would not use the nat firewall built into those types of modems since you can have an independent dynamic ip issued to each pc's at each boot up simply by configuring the Windows XP broadband Network dialer on each pc's. Assuming you are using an Ethernet switch. This allows for faster internet speed since it reduces the overhead on the modem itself allowing it to focus internal resources and bandwidth to traffic instead of filtering...

    Besides since the ip changes at each bootup why you need nat? On most DSL services you can request multiple IP's using same account logicals effectively eliminating the need for a nat server... (depending on how many pc's your isp will allow this way). Just make sure the software firewall on each pc's is up to par.
     
  6. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Having your PC on a public IP address...ack...that's scarey!

    "Faster internet speed"..that depends on the make/model device you have. Most of the devices though, are not the bottleneck, they're rated for 24 megs of throughput, not many DSL services are even 1/2 of that.

    IP isn't always guaranteed to change at bootup, or each time you attempt to release/renew. Not to mention....just being on a public IP address for 1 minute is enough reason to want to be behind a firewall...takes less than a minute for a system to become compromised or hit by some worm.
     
  7. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Well every Internet routed pc is actually on a public IP address... no matter.
    This is true of Modem/routers or Combo routers, or a single pc.

    Perhaps you need to see that bandwidth is not only measured in throughput on these types of devices but also in memory bandwidth's, as well as processing overhead, and when you multiply by the number of pc's it radically changes the rules of the game. I would personally rather use direct than filtered at the modem level since it is far more efficient to do so independently at the pc's.

    Actually since this is DSL we are talking about, the Portmaster on/or the RAS server will dynamically issue the next available IP either in sequence or in a time lapsed sequence to prevent a re issue (depends on how the admin setup the Portmaster). This is true, unless you are using a business account and are paying for a static IP. Perhaps to host a server, then it might be preferable to use a nat device to add an extra layer.

    In fact consider this. You have 3 pc's on your LAN each getting a different IP address from your ISP. If you are using the NAT on your modem and a hacker cracks it, your 3 pc's are now essentially crack fodder. On the other hand if you get 3 ip's from separate blocks issued through the same modem one pc may be cracked while the other two are still invisible and safe...

    The main reason is that when your receive a single IP that you chose to route via NAT it only is required to crack the one ip to access all pc's on the NAT' table. Childsplay for Pro crackers. On the other hand each pc's getting it's own IP dynamically where those may actually be issued from separate class c blocks or even separate classes will make it very difficult for a hacker to track all pc's involved...

    Ultimately the entire scenario depends on your pc based software firewall. I personally do not like those devices that pretend to be router/firewall/DHCP's + NAT since they actually slow down the entire setup. The only real benefit in my opinion is the convenience they provide as they are not truly secure and you do not have the real control and options a software firewall provides....

    Besides as I mentioned above getting the ability to partition your LAN across several class c is more secure... (from a Internet scanning perspective)
     
    Last edited: Oct 1, 2007
  8. Empath

    Empath Registered Member

    Joined:
    Nov 13, 2002
    Posts:
    178
    Thanks, Hermes, but it sounds more like a campaign against NAT than a specific concern regarding my setup. The argument appears to apply to routers with NAT. It's just more than I wish to involve myself. I'm not wanting to get involved with a hardware vs software firewall thing.
     
  9. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Not what I intended. I meant to explain that while NAT is very useful in some situation, like when you need more IP's than your ISP is willing to provide, it is not as desirable as it appears in very small LAN (1 or 2 PC's). Besides when it comes to firewall, having a good software firewall on your pc is really all that is necessary for being online since most other features needed are already built into the OS. All you need is access to the Internet via the modem. As for the functions built into your dsl modem... My opinion is don't use the features unless you need them since they tend to slow down your connection. in some cases a lot in others not so much... It's a preference, I simply preffer dedicated or modular functions rather than all in ones all reasons stated above.

    A note about modem/Router based firewalls: These days, security breaches are far more prevalent on web sites you visit by injecting hostile code direct into your computer while exploiting multiple applications and OS vulnerabilities, and effectively bypassing any attempts to the firewall itself... Thus the necessity to have a good PC based firewall enabled since the current and upcoming best of breed also provide HIPS or application monitoring. This is where your security will really be coming from...
     
  10. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    But there's a difference in a gateway...and what's available on it outside the NAT, versus having a PC standing there naked on a public IP address.

    Take 2x computers. Put one of them behind a NAT router, I"ll take this one. Put the second one plugged right into a cable modem..with the PC obtaining a public IP address, you take this one. Which one do you think will start coming under attack first? The one on the cable modem will be at risk right away. The one behind the NAT router..you can leave it on 24x...by default, unless the end user does something intentional..it will not fall under attack, it's isolated from the noise of the internet. Lets let both PCs run 24x7 for a month. After a month goes by...I'll sit down at mine with confidence that it's safe and healthy. The PC that was sitting on a public IP address? You'll probably be pouring through your logs looking for what may have happened to it. I'd expect those logs to be quite lengthy..full of attacks and possible compromises depending on how the PC was setup, and what was running on it.


    True..I am quite aware of performance differences in routers, especially when it comes to "concurrent connections". I've done quite a few benchmarks with various types, and yes there are differences in your "el cheapo" models with under 200MHz and 8 megs of RAM, versus more business grade models with 533MHz or more..and 32 or 64 megs of RAM. Or better yet..when you build some custom linux distro routers like Endian or Untangle..and stick them on a Pentium 4 with a gig of RAM. Concurrent connections can put a strain on routers...larger business networks of more clients, or heavy traffic apps like that P2P warez/file sharing torrent stuff. However...for the average home user, not many have more than several PCs..and they won't burden even modest home grade routers very much. Even those of us in IT usually don't have much more than 6 or so computers at home. However..routers that are somewhat current in generation will not be a bottleneck. Most of them out on the market now will easily exceed 50 megs throughput..many of the higher performance models..still targeting the home user market, are now exceeding 100 megs throughput..even 200.

    Depends on the ISP...not all are exactly the same. I work with many different ones...have stepped inside the doors of many of them, have been a reseller for a few. They are not all setup exactly the same. Yes the more common PPPoE DSL types from the large telco's are often very dynamic, but there are still quite a few other DSL providers out there, you can release/renew your WAN a thousand times a day...you may still get the same WAN IP.

    The frequency of changing IP addresses is irrelevant IMO, wether you change IPs daily, weekly, monthly, or not at all, a worm or some vulnerability out there only needs 30 seconds or less to "find" your PC and infect it.

    If the 3x PCs are each on public IP addresses..you really don't have a "LAN" anymore, nothing local about it if the PCs are each on public IPs. A NAT router, by default (meaning person hasn't done any port opening/forwarding....or something dumb like DMZ'ing a computer, or enabled WAN management with a default password) is safe and sound from the outside world, even if they don't have windows updates or admin passwords, by default, without user intervention, they are safe. Period. Hardware NAT doesn't suddently "fail" as a service like some software firewalls can and have been known to do. 3x PCs on a public IP address are each under constant attack. Software firewalls can fail as a service in Windows. There also have been exploits against them which can intentionally knock them out.

    All comes down to a preference I guess....some people can put faith in software firewalls. I don't choose to....as I've seen them fail and cause headaches on computers, and from my job...I've seen a clear correlation between computers that sit directly on a public IP address...and higher amounts of issues with them. I've not seen NAT fail in what I expect it to do...and that's block unsolicited traffic from the internet..from coming in and infecting a computer by directly touching it. Only the end users themselves can perform an action which infects the computer.
     
    Last edited: Oct 2, 2007
Loading...
Thread Status:
Not open for further replies.