1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New to understanding NATs...

Discussion in 'Tomato Firmware' started by pdawg17, Apr 21, 2008.

  1. pdawg17

    pdawg17 LI Guru Member

    I have a Buffalo WHR-G54S router with Tomato 1.18 firmware and am trying to secure my network with as little "software load" on my pc as possible...my network currently only consists of a wired desktop pc, a laptop, an Xbox 360 and a Directv box (for media streaming)...I've heard a lot of people say that a software firewall is not needed if you have a good hardware firewall with NAT...I'm using Comodo on my Vista x64 box right now but is it necessary if I have Tomato installed? Is NAT enabled by default in the Tomato firmware or do I need to change some settings for "maximum protection"?
     
  2. kevanj

    kevanj LI Guru Member

    NAT = Network Address Translation....

    What NAT does, is just what it says...it translates network (or IP) addresses. Your ISP provides you with (under the vast majority of circumstances) a single public IP address that you use to connect one device to the internet. In your case, that device is your router. The IP address that your PC(s), XBox, etc, get from the DHCP server built in to your router are known a private IP address. They are not routable over the internet. If you want to connect to a website on the internet, that website must be able to send information back to a routable address. That is where NAT comes in. Your router performs what is known as Hide NAT. Any requests from your internal devices going out to the internet have the source address replaced with the IP address that your ISP has assigned to you (which appears on the WAN interface of your router). The router tracks the connections outbound, and makes sure the correct traffic goes back to the correct device when it is sent back from the internet server, using a combination of the private IP address and the TCP or UDP service port. This combination is known as a socket.

    Part of what enables your router to do that is the SPI (Stateful Packet Inspection) firewall built in to the router. The other thing the firewall in the router (also known as the 'hardware' firewall) does, is block any traffic coming inbound from the internet that does not have an associated outbound connection. The SPI firewall in the router is very good at doing that, and unless you open ports using the Port Forwarding capabilities of the router, or set up remote administration capabilities, the firewall will stop mostly anything from coming in.

    Software firewalls (installed on your PC) can be very useful and should not be dismissed completely. While the inspection of inbound packets is made somewhat redundant by the SPI FW in the router (unless someone hacks into your network somehow), what a good software firewall will allow you to do is restrict outbound traffic. If your PC gets infected with a Trojan for instance, it may try to connect to servers on the internet defined by the scallywag that wrote the virus. You can use software firewalls that perform outbound traffic inspection to identify and restrict that traffic.
     
  3. Macskeeball

    Macskeeball LI Guru Member

    What NAT (Network Address Translation) does is allow multiple devices to share a single IP address. Consumer routers are all NAT routers.

    There is still a point to running a software firewall even when you have a router. This is especially true for laptops, because they might be put on other people's networks away from your router entirely. Also, there is the idea of defense in depth. In the event that a computer on your network (or any other network you may be on) has somehow been compromised, you would want the other machines on your network protected from that.

    Therefore, I recommend using the software firewall built into the OS in addition to the hardware firewall your router provides.

    Some other important tips would be using solid encryption AND a very strong key for your wireless. I recommend WPA-PSK (aka WPA Personal) with TKIP because it's the least computationally intensive encryption that has not been cracked. It is also critical that you use a very strong password (both very long and very random) with that, to prevent brute force attacks (read: automated trial and error) from working. For good measure, you should also change your SSID (wireless network name) to something more unique.

    if you're interested, I recommend listening to the Security Now podcast from Steve Gibson and Leo Laporte. Definitely go back to the older episodes.
     
  4. pdawg17

    pdawg17 LI Guru Member

    Are there any "gimme" changes that should be made to the default settings in the Tomato firmware for the "average" network setup?
     
  5. pdawg17

    pdawg17 LI Guru Member

    Last question...you mention using WPA Personal with TKIP...what about WPA2 + AES? Isn't AES "better"?

    Can my WHR-G54S take advantage of it?

    I use the Buffalo wireless converter with it (Buffalo firmware) which I believe only has WPA (I could be wrong)...if I set the router for WPA/WPA2 and then enable AES is AES in fact being used (I can set AES on the converter)? I thought AES was only for WPA2?

    There is also TKIP + AES?
     
  6. szfong

    szfong Network Guru Member

    TKIP consumes more cpu, was software made transitional away from WEP easier, didn't have to throw away old WEP routers. It is STILL safe. AES, quite computational intensive, is fastest now, it has hardware assist. I personally use WPA/WPA2 + AES for fastest. I still need WPA compatibility, else WPA2 all the way. However, they are safe as long as you use LONG/RANDOM keys, 63 characters. btw, DON'T use 64 characters, had rare compatibility issues OR test it first and expect possible compatibility problems.

    -Simon
     
  7. pdawg17

    pdawg17 LI Guru Member

    So is Tomato firmware at "maximum security" by default (other then the wireless encryption settings of course) or is there other recommended changes to make?
     
  8. Macskeeball

    Macskeeball LI Guru Member

    Very interesting. i was under the impression that TKIP used less resources because it was simpler, but according to szfong's post I may have been wrong. I wasn't aware that AES is faster than TKIP now. I'll have to give it a try the next time I'm back home.

    I recommend using a custom SSID (wireless network name), instead of the default SSID that is the same for everyone. I mentioned brute force attacks (automated guess and check) in my previous post. There's a special and particularly scary form of brute force attack in which "rainbow tables" are used. Rainbow tables are very large collections of pre-computed brute force attacks, for the purpose of a very fast attack. These depend on the default (and well known) SSIDs being used, though.

    I also like to set the router config panel to use HTTPS and not HTTP, so that I have a tad more defense in depth (protection from sniffing by other devices on my network, which could get malware). That's up to you though.
     
  9. popeye123

    popeye123 Addicted to LI Member


    I think this is what I was looking for to set up a secure network. Newbie to this-How and where can I set up this up? Where and how can I set up the SSid name and password in the firmware? As being new-what else should I be doing? Appreciated, thanks.
     
  10. levelup3

    levelup3 Addicted to LI Member

    I am glad to read it here.
     
  11. bripab007

    bripab007 Network Guru Member

Share This Page