I've posted some specific SOHO network and cable modem sharing
questions during the past 10 days. I received many informative
responses and culled (with a little editing to make things flow better)
the most helpful and relevant (to me) parts into a reasonably cohesive
help file. I thought others might find it useful, so here is a first
draft. My thanks to all the people who answered my queries, and in
particular to George Marengo, John Navas, Eric Gisin, and Jeffrey
Please send any corrections, additions or flames my way. There are no
guarantees everything in here is 100% accurate.
My original problem was how to SECURELY network 3 pc's (with full
print/file sharing between the machines) running Win98 se and share a
cable modem (using 2 nics in my gateway machine and 1 ip address from
The discussion that followed was a primer in NATS, Proxy Servers &
NAT or a proxy server allow you to share an ip address between
multiple machines. This does not necessarily imply any security. If
your gateway device is using NAT or a proxy, it does not imply that
the gateway is anymore secure than it would be if those services were
not running. It does usually mean that the network behind is harder to
get to or attack, but even that is not always true.
As I said above NAT and proxy do not necessarily do anything for your
security. The real two competing firewall technologies are packet
filtering and proxies.
In general, NAT's are easier to set up and use than Proxy Servers
because you simply install it on the computer that is directly
connected to the cable modem. Proxy Servers generally require
settings for each client computer.
All the PC NAT products do address/port mapping, and keep state
information that prevent incoming connections. This provides the same
protection as stateful packet filtering.
A NAT product should replace the tcp/ip stack on the PPP/NIC adapter
with it's own IP stack. That would protect the gateway machine.
Product documentation should indicate this, however many products dumb
it down for newbies.
NAT makes the machines _behind_ the server machine more secure
essentially because you use IP addresses that are reserved for use on
Proxy Servers are used where you want tighter control of what the
client machines are allowed to do, or when you have many client
machines. The proxy lightens the load on the cable modem, assuming
that the clients tend to want to see the same content. With a NAT,
every request requires a retrieval through the cable modem.
When building a firewall gateway, you are often looking to address two
problems. (1) mapping your network into a limited number of public
addresses; and (2) providing security.
NAT addresses the first problem, and is generally used when you are
using a packet filtering firewall to provide the security. Combined,
they solve both of the problems.
Proxy Servers can be used to solve both of the problems by themselves.
Most commercial gateway firewall products these days are a combination
of all of these. Proxy Servers can be highly secure, and let you look
into the application data of the packets, so you can do things like
rewrite mail headers, block urls, etc. However, they can be somewhat
limiting because writing an intelligent, secure proxy for every
protocol/application is more than anyone can handle. Most firewall
then use either packet filtering and NAT or packet filtering and a
generic proxy to cover the areas where they do not have a good proxy
written. Packet filtering/NAT also tends to have less overhead than
SOME SPECIFIC PRODUCTS:
Sygate is a NAT, Winproxy is a proxy server. Syshield, Conseal and AtGuard
are all personal firewalls.
ICS is a NAT program. It used to be called NAT 1000 and the company
was purchased by Microsoft.
Syphield, Conseal, and Atguard, are all PC Firewall products. They are
designed to increase the security of one host by adding a packet
filter. But, since these are designed as PC or host firewalls, they
do not address problem number 1, how to share an ip address.
WinProxy is a proxy, but not a firewall. It can relay connections,
but it does nothing to improve the security of the box it is installed
on. It solves problem number 1, but not problem number 2.
SyGate/Syshield looks like the only product mentioned that is actually
designed to do what you want. Solve problem 1 and 2. Any number of
commercial firewall products do this, Checkpoint FW-1, Axent Raptor,
NA Gauntlet, etc., but they are really designed to protect larger
networks, and are priced accordingly. SyGate was designed to work in
conjunction with SyShield. SyGate does the NAT and protects *clients*
on the internal network, but SyShield is the required component for
protecting the actual dual-homed server.
You might be able to use some combination of the PC firewall products
and WinProxy to accomplish the same thing. Basically, use the PC
firewall to protect the box you have the proxy on, and use the proxy
to give your LAN access to the Internet.
But, basically, the two machines that are just on your inside network
should be safe to have file and print sharing on as long as your
gateway is secure. Having file and print sharing turned on on the
gateway is probably a risk, but probably an acceptable one, provided
you have some sort of packet filter protecting it from connections
from machines other than the two on the inside network.
There is no issue that I'm aware of, from a security perspective,
where you'd preferentially choose a NAT instead of a proxy or
vice-versa. A proxy allows you, the administrator, more control over
what is or isn't allowed onto your client computers, while a NAT
typically offers easier set up.
To some extent, NATS and proxy servers act as firewalls? , but it's
only true for the machines behind the NAT or Proxy server. It does not
in any way protect machine running the NAT/Proxy.
With that said, there _are_ products which combine the functions of a
NAT or Proxy (or both!) and a firewall. Sygate, for instance, offers
some sort of firewall protection for computer running Sygate.
A HOME GROWN SOLUTION:
Install and bind NetBEUI for File and Printer Sharing on both
In Windows 9x Control Panel -> Network:
1. Make sure that both TCP/IP and NetBEUI are installed. (There is
usually no need for IPX/SPX. Unless you are running Novell you can
usually remove it.)
2. If you want local networking, make sure that both Client for
Microsoft Networks, as well as File and Printer Sharing for Microsoft
Networks are installed.
3. Double click on "TCP/IP -> [your network adapter]" and then
Bindings. Make sure that both Client for Microsoft Networks, and File
and Printer Sharing for Microsoft Networks, are UNchecked. (Click No
if you get a dialog box warning you about no bindings.)
4. Double click on "NetBEUI -> [your network adapter]" and then
Bindings. Make sure that both Client for Microsoft Networks, and File
and Printer Sharing for Microsoft Networks, are Checked.
This will ensure that your computer uses TCP/IP only for access to the
Internet, and that all local networking will use only NetBEUI. Since
NetBEUI is not a routable protocol, none of your local traffic will go
out over the Internet, and nobody on the Internet will be able to
access your local network services.
For the typical casual user of the Internet, this is probably
sufficient. More serious users should consider a firewall. This is
because there are other ways that you can be attacked; e.g., a trojan
that gets installed like a virus; denial of service attack; IP