NAT, firewall, proxy or what?

This article explains some of the key features of NAT, firewall and proxy server software products as they can be used to securely share an internet connection (with only one IP address) through a cable or xDSL modem. 

This is what you need: Cable or DSL Modem,
one PC with two ethernet cards, a few PC's with
one ethernet card, a hub and enough ethernet
cables to tie it all together. The printer is optional.

Network Address Translation (NAT) or a proxy server will allow you to share an IP address between multiple machines. This does not necessarily imply any security. If your gateway device is using NAT or a proxy, it does not imply that the gateway is anymore secure than it would be if those services were not running. It does usually mean that the network behind is harder to get to or attack, but even that is not always true.

As said above NAT and proxy do not necessarily do anything for your security. The real firewall technologies are packet filtering and proxies.

NAT

In general, a NAT is easier to set up and use than a Proxy Server because you simply install it on the computer that is directly connected to the cable modem. Proxy Servers generally require settings for each client computer on your local network.

All the PC NAT products do address/port mapping, and keep state information that prevent incoming connections. This provides the same protection as stateful packet filtering.

A NAT product should replace the TCP/IP stack on the PPP/NIC adapter with it's own IP stack. That protects the gateway machine as well as the computers on the local network. Normally product documentation should indicate this, however in many cases this is not clearly specified. Maybe in an attempt to keep things simple for the less experienced buyer.

NAT makes the machines on the local network behind the gateway machine more secure essentially because the client computers on the local network use IP addresses that are reserved for use on internal networks only. Those IP addresses will not show up on the internet.

Proxy Server

Proxy Servers are used where you want tighter control of what the client machines are allowed to do, or when you have many client machines. The proxy lightens the load on the cable or xDSL modem by caching web pages that are downloaded. So assuming that the users on the local network tend to surf the same pages, the performance can be greatly enhanced. With a NAT, every request requires retrieval through the cable modem – no caching.

Firewall

When designing a firewall gateway, you are often looking to address two problems.

1: Mapping your network into a limited number of public IP addresses.

2: Providing security.

NAT addresses the first problem, and is generally used when you are using a packet filtering firewall to provide the security. Combined, they solve both of the problems.

Proxy Servers can be used to solve both of the problems.

Most commercial gateway firewall products these days are a combination of all of these. Proxy Servers can be highly secure, and let you look into the application data of the packets, so you can do things like rewrite mail headers, block URL’s, etc. However, they can be somewhat limiting because writing an intelligent, secure proxy for every protocol/application is more than anyone can handle. Most firewalls use either packet filtering and NAT or they use packet filtering and a generic proxy to cover the areas where they do not have a good proxy written. Packet filtering/NAT also tends to have less overhead than proxy servers.

Some specific products

The following is a list of a few software products that can be used to solve all or part of the internet sharing problems described. There are also quite a few hardware boxes that provides some of the same features. The advantage of using a hardware implementation is that the gateway computer does not have to be on, in order to access the internet from the client computers on the local network. But it may also be a more expensive solution.

ICS is the NAT service in Windows 98 Second Edition (and most likely also Windows 2000). It used to be called NAT 1000 and Microsoft purchased the company.

SyShield, Conseal, and AtGuard, are all PC Firewall products. They are designed to increase the security of one host by adding a packet filter. But, since these are designed as PC or host firewalls, they do not address problem number 1, how to share an IP address.

WinProxy v3.0 (by Ositis Software) resides just above the physical layer, and is a firewall and a proxy capable of blocking ports that get opened by the operating system. The firewall ensures users don't have unwanted intruders invading their system or bombarding them with multiple requests that result in "denial of service" attacks. To accommodate a wide variety of user requirements, WinProxy offers five levels of built-in security that can be customized to the users needs. It also includes pre-configured firewall settings to accommodate applications such as NetMeeting, MSN, AOL and some of the more popular games that can be troublesome for NAT/proxies.

SyGate/Syshield looks like it is actually designed to do what you want. Solve problem 1 and 2. Any number of commercial firewall products do this, Checkpoint FW-1, Axent Raptor, NA Gauntlet etc., but they are really designed to protect larger networks, and are priced accordingly. SyGate was designed to work in conjunction with SyShield. SyGate does the NAT and protects client computers on the local network, but SyShield is the required component for protecting the actual gateway machine also.

BlackICE Defender from Network ICE fits under the firewall category, but really belongs in a new category "intrusion detection system". It analyzes the traffic, even that allowed through the firewall, proxied, or translated. Much like how anti-virus scans the hard disk, BlackICE Defender scans the network traffic.

WinGate is another very popular proxy type internet sharing software that works with both dial-up and Cable/xDSL connections.

Conclusion

There is no issue that I'm aware of, from a security perspective, where you'd preferentially choose a NAT instead of a proxy or vice-versa. A proxy allows the administrator more control over what is or isn't allowed onto the client computers on the local network, while a NAT typically offers easier set up.

To some extent, NAT and proxy servers act as firewalls, but it's only true for the machines behind the NAT or proxy server. It does not in any way protect the gateway machine running the NAT/Proxy.

With that said, there are products that combine the functions of a NAT or Proxy (or both!) and a firewall. Sygate in an example of a program that does offer some sort of firewall protection for the gateway computer running Sygate.

Note: The Cable Modem can connect to the gateway machine using either ethernet or USB. To the OS, both options looks like network connections.

Partly based on a text by David Rothman.

For a cheaper and simpler setup, that may prove sufficient for most casual users, read more about the Cheap and Easy Sharing setup.

See also the other articles about internet sharing.

Rock solid and very popular. Sports 4 10/100 ports for your LAN and one 10BT for the WAN (DSL or CM). Also read my review in the articles section. at Amazon.com |  Details and customer reviews

Firewall software with stateful packet inspection and a unique intrusion detection and logging system. This software is a must on all Windows machines with an always-on internet connection and a public IP address. at Amazon.com |  Details and customer reviews

No description at Amazon.com |  Details and customer reviews