Broadband Routers and Firewalls
Depending on the report you want to accept, between 53 percent and 62 percent of Internet access in the United States is provided by broadband connections. Outside the United States, broadband access percentages can exceed 75 percent of all Internet access methods (http://www.websiteoptimization.com/bw/0511/).
Although broadband Internet access provides for increased download speeds and an explosion of Internet-based services and resources, it also introduces some unique problems to the small office/home office (SOHO) and home user markets. With dialup connections, the need to protect the resources accessing the Internet is not considered as critical, because systems are rarely left connected to the Internet all the time. Rather, users dial the computer into a service provider, do what they need on the Internet, and then hang up the modem, thus protecting the system with the most secure of "firewalls" by disconnecting it from the network.
With most broadband connections, however, the Internet connection is always on; and if the computer is left on, the computer remains always vulnerable to attack. Of course, this scenario is nothing new to the corporate arena, where always-on Internet connections are normal, but it presents a whole new issue of how to secure environments that are often out of the control of the IT department and frequently do not have people with the technical expertise to deal with security issues at the location where the resources are.
Many home users and hobbyists also want to take advantage of the increased speed and better functionality that a broadband connection provides, but want to ensure that their systems are as secure as possible. They have neither the technical expertise nor desire to secure their computers properly, but at the same time they want something that they can place between their computer and the network and be relatively certain that their computer will be protected.
How Broadband Routers and Firewalls Work
Many broadband routers and firewalls function primarily through the use of Network Address Translation (NAT) to hide the internal systems behind a single external IP address. These so-called "NAT routers" or "NAT firewalls" do an adequate job of hiding resources from casual attack methods, but they do not perform advanced firewall functions; therefore, it is really a bit of a misnomer to call them firewalls, at least in the sense that firewalls such as the Cisco Secure PIX Firewall, Microsoft ISA Server, and Check Point Firewall-1 products are considered firewalls. Rather, many broadband routers and firewalls are just NAT-based packet-filtering routers providing a degree of privacy, but they typically lack advanced firewall features such as stateful packet inspection (SPI), proxying of data, or deep packet inspection.
Figure 5-1 shows the NAT process.
Figure 5-1 How NAT Works
The steps numbered in Figure 5-1 can be further explained as follows:
- The client initiates a connection to an external host (HostB).
- The broadband router/firewall receives the request and translates the request from the internal IP address to the address of the router/firewall's external interface. The router/firewall keeps track of this translation in a translation table.
- The packets are delivered to the external destination (HostB), which believes that the packets originated from the external IP address of the router/firewall. The external host (HostB) responds accordingly to the external IP address of the router/firewall.
- When the router/firewall receives the response from the external host, it checks its translation table for a matching outbound request.
- If it finds one, the router/firewall repackages the packet and delivers it to the internal host (HostA), which thinks that the response is from the external host (HostB).
In addition, most broadband routers/firewalls are designed not to permit any unsolicited packets from an external host to be delivered to an internal host.
Although this is generally an adequate level of protection for most home environments, it is important to understand that reliance on NAT alone to protect hosts is a false sense of security because NAT does not guarantee security in and of itself, as noted in RFC 2663 Section 9.0. For example, NAT devices are as susceptible to targeted attacks, such as denial-of-service (DoS) attacks, as non-NAT devices. NAT also provides for no actual filtering of packets leaving the internal network; instead, it permits all outbound traffic as long as it can be translated accordingly. Although it is a subtle difference, NAT provides more privacy than it does security.
Therefore, only when used in conjunction with other technologies can NAT serve as an effective security mechanism. The best broadband routers/firewalls (for example, many of the Linksys broadband firewalls) include application-level filtering, deep packet inspection, SPI, firewall hardening, and NAT.