Firewall configuration, Introduction to firewalls, Network address translation and port mapping – Netcom NB5 User Manual

Firewall

YML717 Rev1

NetComm NB5 Ethernet/USB Modem Router

www.netcomm.com.au

31

Firewall Configuration

Introduction to Firewalls

The NB5 is equipped with advanced Firewall features to provide security from malicious attack,
hacking or eavesdropping across the Internet. The following information is provided as an introduc-
tion to firewalling and to the techniques that can be used to selectively enable services across the
firewall while still maintaining security.

Network Address Translation and Port Mapping

The NB5 is a NAT router. NAT stands for Network Address Translation, a process which converts
private IP addresses of a computer on the internal private network to one or more public IP ad-
dresses for the Internet. NAT changes the packet headers to the new address and keeps track of each
session; when packets come back from the Internet, it performs the reverse conversion to the IP
address of the client machine.

NAT acts as a firewall by keeping internal IP addresses hidden from the Internet. Web applications
operate through 'open ports' on devices attached to the Internet by initiating a query which opens a
'communication session' with the host through the open port. The presence of the NAT device
prevents this process from occurring, as the NAT only admits incoming packets that have been
elicited by an outgoing request; other packets are discarded.

However this causes connectivity problems, as any requests originating from applications on the
other side of the NAT device - such as requests generated by network gaming and conferencing
applications - will not be able to locate a port, and therefore a host, with which to communicate, as
their requests are discarded by the NAT. Hence the terms 'opening', 'forwarding' and 'mapping' ports:
these processes add information to the NAT table which allows it to direct incoming requests from
selected applications to the appropriate port.

So Port Mapping tells the NAT router: 'when a request arrives which is intended for TCP port 1357,
don't discard it, but direct it to such-and-such a port'. The port-mapping process invokes advanced
routing functionality to 'bind' the Port Mapping request to the LAN client from which it originated.
This process is automated by the NB5 interface, and is covered in the Port Forwarding section
below.

Dedicated Firewalls

The Firewall function is technically different to NAT in that its sole purpose is to separate, or
'firewall', the internal network from the Internet. It does this by a variety of means, including SPI, or
Stateful Packet Inspection. SPI checks incoming packets against outgoing requests and blocks
packets which have not been requested.