Saturday, September 18, 2010

Why Use a NAT Router?

Every computer connected to the Internet is exposed to dangers. For myself and many others the benefits of using the Internet far exceed the possible dangers. We can minimize the dangers if we follow some basic security principles both for our home and office computers.

Let's start with how we connect to the Internet using a wired connection. Many home users and small businesses connect to the Internet through a Cable/DSL modem. This type of connection is an always on connection. As long as our computers are powered on we are connected to the Internet and exposed to dangers. We increase the danger if we connect our PC directly to the Cable/DSL modem. Computers connected in this way will receive a DHCP public IP address from their Internet Service Provider. What this means is that our PC is both visible and accessible directly from the Internet. This exposes us to Internet scanning, worms, and hackers. If we don't have a software firewall installed then our PC can be easily compromised and our data stolen.

Even though a software firewall can lessen the dangers we are exposed to when we connect in this way, I don't recommend this method. A better solution would be to use a Cable/DSL NAT router. The NAT router would connect directly to the Cable/DSL modem and then our computer or computers would connect to the NAT router. Why is this safer?

One of the key benefits of NAT (Network Address Translation) routers is that the router hides the internal IP address of your computer or computers. The Internet sees you as a single machine with a single IP address. This effectively masks the fact that one or many computers on the LAN side of the router may be sharing that one IP address. This not only provides security benefits but also financial ones. NAT enables you to have more than one computer on your home or office network while you only have to pay for one public IP address from your ISP.

How does NAT work? When you turn on your computer you will receive an RFC1918 private IP address from your router. Usually with most Cable/DSL routers this will be on an 192.168.x.x subnet. This internal private IP will have to be changed or NATTED to a public address in order for you to be able to access the Internet. Since all computers on the LAN side of the router will share the same single IP address, the router keeps track of these outbound connections through PAT (Port Address Translation). Here is what happens. When you make an outbound call to Google, the NAT router receives this request and changes your private IP of ( for example) to a public IP address say ( and a port number of 2500 making it ( A second computer on the same LAN with an IP of ( also makes an outbound request at the same time. This computer will be assigned the same public IP but a different port number say 2501 making it ( The NAT router keeps track of these connections in a table. It uses this table to match return connections to the correct computer on the private LAN side of the router.

This is the really good part and why the router provides added security. All traffic arriving at the NAT router that does not exactly match the traffic in the router's table is discarded as unwanted traffic. This basically stops all unwanted inbound traffic originating from Internet scanning, worms, and hackers, protecting our computers on the private LAN side of the router from unwanted traffic from the Internet. So if you don't already have a NAT router why not get one. The added security benefits are certainly worth the added expense.

Of course for a NAT router to provide its full benefits it has to be configured correctly. I will discuss this as well as the following subjects in future articles: how to secure wireless networks, how to make a server available to Internet users through port forwarding safely, what is a DMZ and what are its benefits, and how can adding a second NAT router provide even greater security. Please feel free to contact me with any questions or comments

No comments:

Post a Comment