Do NAT-routers block unsolicited UDP packets?

[98 Guy]

It's generally said that your conventional residential NAT-router acts by default as a kind of incoming firewall by blocking unsolicited packets from reaching any PC's connected to it's LAN ports.

That said, I'm asking specifically about UDP packets, and if unsolicited UDP packets are blocked.

Edited July 22, 2007 by 98 Guy

[electroglyph]

i think you'd have to check the specific model router you're asking about.

checking for unsolicited UDP would require the router to keep a list of UDP requests you have made.

this goes beyond the "passive" firewall that a router provides and requires an active checking mechanism.

there may be some routers that do this, but i would think this is a feature more commonly associated with firewalls.

[chilifrei64]

If the router is performing 1 to many NAT then yes it will block them, it shouldnt matter the model router you are using. 1 to many NAT is 1 to many.

If you are performing 1 to 1 NAT then no NAT will not necessarily block it. You would need some type of packet inspecting/filtering to do the blocking for you.

Most home (netgear/dlink to name a few) perform 1 to many NAT and has SPI so unless you globally forwarded all ports to 1 copmputer or put 1 specific computer in the DMZ then it should block it..

If we are talking corporate type stuff.. then this gets more complicated and we would need more information because of the variety of equipment available.

[98 Guy]

Ok, we've got two different answers. One says:

> checking for unsolicited UDP would require the router to keep a

> list of UDP requests you have made. this goes beyond the

> "passive" firewall that a router provides and requires an active

> checking mechanism.

The other answer says:

> If the router is performing 1 to many NAT then yes it will block

> them, it shouldnt matter the model router you are using. 1 to

> many NAT is 1 to many. If you are performing 1 to 1 NAT then

> no NAT will not necessarily block it. You would need some type

> of packet inspecting/filtering to do the blocking for you.

>

> Most home (netgear/dlink to name a few) perform 1 to many NAT

> and has SPI so unless you globally forwarded all ports to 1

> copmputer or put 1 specific computer in the DMZ then it should

> block it..

According to the first answer, if an unsolicited UDP packet came into the router, then which of it's internal LAN ports would it send the packet to? Why do you belive that a router doesn't track UDP packets like it tracks TCP packets as it performs it's NAT function?

The second answer is more alongs the lines of what I was thinking.

Given someone with a "1 to many" NAT-router (say, in a residential setting), then what sort of alerts would someone running a software firewall see (in-bound alerts)? I would think they wouldn't see any alerts, be they unsolicited UDP, or TCP. Am I right?

[chilifrei64]

When running NAT.. in order for a packet to go through it(TCP or UDP), there needs to be a NAT map. otherwise the router will drop it. (yes it could log it) but it will not make it to a computer

so you would not see any alerts because they are not making it to you.. (unless you had the port being used mapped to you or you were on the DMZ)

[cluberti]

Unless you're doing a 1-1 NAT (most consumer-grade routers call this the "DMZ host"), then all incoming unsolicited traffic will get dropped. If you have a 1-1 NAT (or a machine set as the "DMZ host"), then all incoming packets that do not have a NAT map request from another machine (unsolicited packets) get routed to the "DMZ host" by default.

So your answer is, unless you've configured a DMZ host, incoming UDP packets that are unsolicited will be dropped at the external interface of the router.

[98 Guy]

Maybe I'm wrong, but I get the impression in a lot of forums that a lot of people either don't understand (or don't want to understand) that a NAT-router is just as effective as a software firewall at blocking unsolicited in-coming threats, and that a NAT-router performs this function more effectively and efficiently than a software firewall, without being vulnerable to being deactivated by malware.

[uid0]

Maybe I'm wrong, but I get the impression in a lot of forums that a lot of people either don't understand (or don't want to understand) that a NAT-router is just as effective as a software firewall at blocking unsolicited in-coming threats, and that a NAT-router performs this function more effectively and efficiently than a software firewall, without being vulnerable to being deactivated by malware.

Not vulnerable as long as you changed the default password, and maybe kill UPnP just for good measure. Software firewalls are still good for program control of course.

[chilifrei64]

NAT is something that really not to many people understand. They see it thrown around on forums but they dont always know what it means. NAT is not a firewall in its self however. It it much more complex then this but really it is just a way of sharing a single public ip to many non public ip's. The mechanism it uses to perform this does block unsolicited packets, but it was not meant to be a firewall. You still need something that can do access lists and define port and protocol rules on a more granular level.

I may reference this site a lot but it just contains too much information.

http://www.routeralley.com/ra/docs/nat.pdf

If you want to get a better understanding, read this. It is directed more towards cisco hardware but the terminology is not cisco specific.

[cluberti]

And a NAT router only protects against unsolicited incoming threats - it doesn't protect users from themselves (IE open a virus attachment, download/run a virus disguised as a program, etc). I guess you could say it protects against "active" threats, but not "passive". I've seen too many people install a NAT router and then remove firewall and A/V from their machines internally thinking they're magically protected due to the router. Also, firewalls on internal machines are still pretty important, as if a machine inside your network gets infected with a propogating virus, the other machines are not protected by the router .

It's the "crunchy outside, chewy inside" network philosophy that I don't agree with - don't trust the other machines on your network behind your router/firewall too much, or bad things can happen.

[98 Guy]

> NAT is not a firewall in its self however.

> The mechanism it uses to perform this does block unsolicited

> packets, but it was not meant to be a firewall.

Does it matter?

When you look at a (software) firewall, you basically have 2 (and only 2) capabilities or modes of operation:

1) dealing with incoming packets

2) dealing with out-going packets

For the sake of argument, if we consider a NAT-router as a firewall, then it only has 1 of those two capabilities:

A) dealing with incoming packets

When I say "dealing with incoming packets", I mean preventing unsolicited incoming packets from reaching any system on the internal LAN.

If we agree that the CAPABILITY or FUNCTIONALIY of (A) is equal to (1), I then have to ask myself if item (2) is important enough for me to go out and install a software firewall.

Many people do not think that (A) is equal to (1) but can't explain why or how (A) is deficient when compared to (1). It doesn't matter that (A) is a side-effect of how the router performs NAT.

> I guess you could say it protects against "active" threats, but not "passive".

And by "passive threat", you mean a solicited INCOMING packet that contains exploit code? Or is it unauthorized out-going packets?

> I've seen too many people install a NAT router and then remove

> firewall and A/V from their machines internally thinking they're

> magically protected due to the router.

I think that unsolicited incoming threats are way more of an issue compared to monitoring out-going stuff. Once you have a NAT-router, the reason for getting a software firewall drops considerably.

Assuming that a software firewall hasn't been disabled by malware, then I guess it can alert you to the fact that you have malware installed and running on your system, but it didn't prevent it from getting on your system in the first place.

[uid0]

Where (A) is not equal to (1), is that a software firewall can stop incoming packets from your own lan, which a perimeter device obviously cannot.

Whether you need a software firewall depends on how careful you are, and how much you trust the machines on your network.

[chilifrei64]

It all depends on your need. At my work network. All workstations run the windows firewall(no it isnt the greatest but it will stop a virus/malware spread on a network and takes up minimal resources) and all are behind a NAT router. I do this because I want to protect each pc from not only threats on the internet but also from other computers. This is because a NAT router will block unsolicited traffic from the internet from getting to the computer.. but if a user downloads it to one computer.. it can easily make it to all 300 computers in a matter of min.

Yes it is real easy to just connect a computer straight to the internet and get a virus.. in most common (corporate) scenarios, this just doesnt happen.. so for me.. I have a firewall which performs NAT as well as a firewall to block my inside from the outside. From that point on.. I am more concerned with getting something from another computer within the network than I am from the outside the network.

Really though we are talking about a couple different things and I guess it depends on your viewpoint. Security comes from different places. No 1 single device will do everything for you. NAT will protect you from the outside.. but what is protecting you from the other computers on the network.... nothing.. that is where a software firewall comes in.. but now that you have blocked the outside network and the inside network from accessing your computer... what about when the user downloads the threat.. you still arent protected.. this is where AV comes into play.

Beyond that.. A is equal to 1 in theory.. but there is much more to it. NAT will block in general as is.. but in many scenarios NAT also performs PAT(port address translation) which allows you to take say port 80 of your IP and translate that to 1 computer inside, and take another port.. say 21 and translate that to a different computer on the inside.. Then from that point.. what is protecting your computers on those ports.. NOTHING. That is where a firewall comes into play.

NAT is getting painted here with a real broad brush. As default 1 to many.. yes it will block incoming unsolicited packets. but what are we really talking about here. Network security comes from a multitude of different levels and no 1 device/software will do everything. The original question was answered.. now we are getting into much more heavy discussions which require more explaining.

Now as far as how is how is it deficient.. starting with the assumption that we are using NAT in ONLY a 1 to many setup, it will ONLY block incoming from outside in, which is NOT a viable solution if we are talking a secure network as a whole (inside and outside protection.) That is how it is deficient. It is a perimeter defense.

If all you are worried about is protecting your computer from outside threats and are running only 1 to many NAT with NO translations.. then you are protected............ from unsolicited packets ONLY.

[98 Guy]

> It all depends on your need.

The question I was posing was strictly pertaining to the in-bound handling of unsolicited packets and if a NAT-router might be inferior to a software firewall in that regard. I specifically did not expand the topic to include a larger discussion about possible network topologies.

The answers given here is that a NAT-router is functionally equivalent to a software firewall when it comes to "fire-walling" unsolicited in-bound packets.

I note that many responses like to point out the possibility of opening the DMZ or specific ports, but the same options exist for software firewalls as wall so again I don't see the point of mentioning those exceptions.

If we were to consider network topology, I would argue that the most common type of network configuration in north america is a single PC in a residential setting. In those cases where a NAT-router (or a broad-band modem with internal NAT-router) is used, what then is the incrimental benefit of purchasing and running a third-party bi-directional software firewall? I say little to none.

In the same situation (residential, single PC) where there is no NAT-router, the OS will probably be XP, and if XP's own in-coming firewall is turned on (as weak or as vulnerable as it is) then again what is the incrimental benefit of purchasing and running a third-party bi-directional software firewall? I say little to none.