What is a NAT Firewall, Router, or Gateway?
What is a NAT Firewall, Router, or Gateway?
“Network Address Translation” (NAT) is used to “map” the private, non-routable IP addresses of individual computers on a local network to a single public-facing IP address (the “NAT’s address”) on the Internet.
- Many providers use this to remap their end-consumer IP addresses to the Internet.
- Many small networks (small office and home networks) use NAT to remap their home or office machines through a cable modem or firewall to the Internet.
A NAT firewall, router or gateway is a piece of equipment or software that makes the bridge between a local network and the Internet.
- It makes all of the connections appear to be from the NAT address, not the local address of the LAN computer.
IMPORTANT NOTE: If you are running your own wireless router/firewall, it is often possible for “unwanted guests” to sneak onto your network (either accidentally or deliberately) and emit malicious or unwanted through your Internet connection – as well as have full access to your private network! It is critical that you take steps to protect your wireless connection.
What’s significant about NATs?
Most modern malware and spam-sending exploits have their own built-in SMTP clients, and will attempt to send directly out from the infected machine.
- They DO NOT go through the infected network’s mail server, and DO NOT leave mail server logs of any kind: This means that the virus will establish a SMTP port 25 connection directly to the recipient mail server.
- Anti-spam and anti-malware scanners on your mail servers will not find these infections, because the spam is not going through the mail servers.
Since all malware and spam-sending exploits forge headers, the only information we know is the originating IP address – which is the NAT, not the infected machine. Unfortunately, we can only see what’s coming from the NAT (public) IP; anything inside your network is visible only to you. You can start logging at the router or firewall to see what’s trying to use port 25 and that should lead you right to the compromised device(s).
Back