Does NAT Add Any Additional Security on my Wireless Router? (Tech Vanity)

5/21/2010 | Me

[Dallas59]

I have an old WRT54G wireless Linksys Router. All my computers go through this to connect to the net. I have access restriction turned on with a list of the MAC addresses of my 5 computers and IP range. Do I need NAT checked and does this add any extra security? At least 2 computers are being used at anytime by us. 3 use XP and the other 2 us W7. All have the Comodo Firewall.

[Dallas59]

[TomGuy]

I run Comodo firewall on both the main pc (wired) and laptop (wireless) with Linksys router.

The Gibson Research Shields Up tests show my computers as stealth.

http://www.grc.com/su-firewalls.htm

[Java4Jay]

ping

[red-dawg]

In a word, yes.

Network Address Translation adds security to your network and makes it "appear" as one ip address.

[UB355]

Here is what my router info says

NAT Enabling
Before you enable this function, MAKE SURE YOU HAVE SET THE ADMINISTRATOR PASSWORD. Network Address Translation (NAT) is the method by which the router shares the single IP address assigned by your ISP with the computers on your network. Advanced users should only use this function. This function should only be used if your ISP assigns you multiple IP addresses or you need NAT disabled for an advanced system configuration. If you have a single IP address and you turn NAT off, the computers on your network will not be able to access the Internet. Other problems may also occur. Turning off NAT will disable your firewall functions.

[Dallas59]

Mine does too. I live in an apartment complex with several wireless networks surrounding me. I get pArANoId about someone trying to leech into my network here at home.

[Dallas59]

I’ve assigned each computer a different IP address. It’s a patchwork system. Two PC’s use Linksys wireless adapters and the other three use NETGear adapters.

[Snickering Hound]

I’m too paranoid to run wireless at all and just use powerline.

http://en.wikipedia.org/wiki/Wireless_hacking

http://en.wikipedia.org/wiki/Aircrack-ng

http://aircrack-ng.org/

[BigSkyFreeper]

I think he’s wanting to secure his wireless router. Your links help him secure his PC, which should be done too.

[Michael Barnes]

Get off that Linksys firmware and get on DD-WRT!!

[RightOnTheLeftCoast]

With that router (and most ISPs) you need NAT checked if you'll be using it to connect more than one device to the Internet.

NAT does add a layer of security in that your PC is not naked and exposed to the Internet-- some malware goes poking around looking for naked PCs with available IP ports that it can exploit.

Linksys even offered a one-port "router" (maybe they still do) which used NAT to put a bit of separation between the connected PC and the Internet. That means that if you run a scanner like on Gibson Research's site it won't be able to see your computer or poke at its ports.

But NAT while is a good idea, you should still be running a software firewall. And perhaps even more importantly run a good anti-virus/anti-malware utility like Avast or Microsoft Security Essentials (both free).

Encrypting your WiFi connection is also essential nowadays, and even legally required in some places like Germany. So, be sure that is turned on. Use WPA2 if your router and PC support it. But even WEP is better than nothing.

This all assumes you're running Windows. I'll spare you my editorial on the wisdom of that... ;-)

Is there some reason you would want to turn NAT off?

[DManA]

old WRT54G wireless Linksys Router.

I’ve got one of those too. Are you telling me it’s obsolete? Dang.

[Dallas59]

Didn’t know about it. I looked at the Networks around me and saw five new ones. Most are WEP but some are WPA2. Both of my Linksys adapters don’t have WPA2 (old.) The Linksys router has WPA2. looks like a trip to FRYS is on order.

[Dallas59]

I bought this one 2005.

[RightOnTheLeftCoast]

"I’ve got one of those too. Are you telling me it’s obsolete? Dang."

Don't worry too much about it. Unless you're trading in state secrets, any encryption (even lame ol' WEP) is good enough. The main thing you need to guard against is someone utilizing your bandwidth to deal in kiddie porn, terror planning or similar bad stuff. WEP can be cracked but it's unlikely that your average Bad Guy will bother. I'd just advise letting your router live its natural life and then replace it with a better one (such as the D-Link DIR-655) when the time comes.

But maybe you're concerned about something in particular. Post with a more detailed question or problem-statement if so. For example, WiFi encryption doesn't impact malware issues. NAT, as we've discussed, is a bit of help in that regard. But issues such as email privacy or financial-transaction security are more complex problems and require a multi-layered approach. So, let us know what's on your mind.

[Mariner]

You ABSOLUTELY want to run NAT, and configure your home network to an odd-ball IP address like: 2.3.2.xxx with a mask of 255.255.255.128.

That same router has a Firewall function that should be turned on in ADDITION to your PC Firewalls.

[DManA]

Thank you. No it’s been pretty trouble free.

[DallasMike]

I use NAT. Many newer routers have it enabled by default.

I don't use use MAC address filtering -- it's easy to spoof. I don't hide my SSID because it actually decreases security. Neither do I disable DHCP.

You should enable SPI, though it's effectiveness depends on your router. Cheaper routers don't necessarily inspect the packet headers.

I spent an entire Saturday about six months ago trying to hack into my Wi-Fi with the latest and greatest tools. I couldn't do it.

For what it's worth, you can make a Windows system just as secure as a Linux or Mac system. I use Windows 7, Ubuntu, and Mandriva at home and am also testing Chrome OS builds. Each have their strengths and weaknesses. While there are a certainly a lot more attackers targetting Windows systems, security is ultimately the responsibility of the user.

[DallasMike]

Oops, I meant to say that I disable DHCP. Use static addresses instead and don't choose from the beginning of the range that your router supports. Hackers often hone in on common addresses like 192.168.0.1.

[Michael Barnes]

What revision is your router? I have the same model. Running on linksys firmware, I never “saw” the whole of all memory in the router. Plus, the linksys firmware is proven to run SLOWER than dd-wrt. If you have Rev. 03 like I do, there is 32MB of physical memory. Additionally, dd-wrt offers far better access lists for wireless based on MAC addresses. You can also set much stronger wireless encryption on dd-wrt than you can with linksys firmware.

http://www.dd-wrt.com/site/index