XP Firewall

Not much. The NAT will probably do more then the XP firewall. But experiment with the XP firewall to see if logs any probes for a period of a week or two. It is unlikely to see any probes because the NAT will pick them up. Although some network gurus suggest that you run both a hardware and software firewall for extra protection.


The Crazy One

ditto. I've heard nothing good about it, so if you have no valid reason, then don't do it. MS also sells firewall hardware. But that is not their business, so you know you can't accept them as best when at v 1.0.    If you want more, try ZoneAlarm. This would be the software topic mentioned by CrazyOne.

Put up a firewall, XP's blowz, use ZoneAlarm, it has a free version that is better than XP's. The registered version is well worth the $$ (50). You are behind a Router, which Routes packets, packet's that will end up on your machine, NAT offers no protection other than IP, sort of. A static nat will go directly to your PC, I send  a probe from my PC, it hit's your router and your router has a STATIC nat to your PC, I am probing your machine, but against the ACL's of your router. That is the only protection you have, the ACL's on the router. If you don't have static NAT, then it's a little bit better, but not much. Get a real firewall, software or hardware. Anything is better than nothing. If you need more info let me know, google is the best! www.google.com/toolbar.html
-NEO

The NAT box will keep hackers on the Internet
from entering your network.

Using a firewall (the XP firewall or ZoneAlarm or
Tiny Personal Firewall or ....) will block any
hackers "within" your network from getting into
*your* computer.

Compare it to a controlled-access hotel, with security at
the street-level entrance, and one security-guard outside
the hallway-door of each hotel-room on each floor.
So, even if a thief gets into the hotel,
the thief still has to get by the guard
standing outside of your personal hotel-room.

I agree with Neo, NAT isn't a reliable way to stop anybody from doing anything to your network.  NAT is designed to send packets to your computer.  NAT is there to allow a private network to use a public IP, imo the security benefits of NAT are more a side affect then necessarily the reason its there.  A good question is what type of router do you have?  More then likely, since your asking this question at all, your on a home network with something like a linksys router.  They have built in firewalling if Im not mistaken correct?  This should do fine for you, if your really security paranoid, you can set up another one software wise on your comp.  The only reason to do this though is if your worried about your perimeter box getting owned.  Other wise its the same thing because your going to have the same ports open on both firewalls.  

So to end my blabbing, if you don't have a firewall on your router, definately go with a software one (or if you have an old comp laying around, put a nice flavor of LRP on it, I got it, its nice), otherwise you will be fine if you have a firewall on your router.  

Jim

otta is incorrect, let me explain. In order for you to get to a web page, your PC with an PRIVATE ip of lets say 10.10.10.10, sends all his packets that need to get anywhere to the gateway of 10.10.10.254, which is an interface on your router. The router says, hey! 10.10.10.10 want's to go to a PUBLIC address of 206.169.61.185, I had better translate his private IP to a public one so he can get there, OHH he has a static nat, so an ip of 63.1.1.12 (just and ex). Anything that 206.169.61.185 port 80 sends to 63.0.0.12 will go to 10.10.10.10. Without static, the problem is less, unless there is a session established, say you visit my webpage 66.35.250.150, I can then bind my security scanner to send info to port 80 of your box, and not be bothered at all by the NAT, I can overflow or just about anything. There are plenty more things that can be done. My point was, otta was wrong. ACL's on the router are what protect you, or your firewall, which is close to what ACL's do. ACL's on or off, blocking or allowing, firewalls can establish a better set of rules to apply. Sorry for the spam.
-NEO (ccnp)

NEOsporin is wrong.

If a PC with a "private" IP wants to access a "public"
IP-address, the PC obtains a "socket" (just a number
between 1024 and 65535 that is not already being used).
TCP/IP services on that PC:
 * puts that socket-number into the IP-packet,
 * puts its private IP-address into the packet,
 * puts the "destination" IP-address into the packet,
 * puts the "destination-port" (for example '80',
   if the destination is a web-server) into the packet.
Then, it sends the IP-packet.

The NAT ("network address translation") server
records the above four items into a "state-table".
The server then substitutes its own IP-address
and its own socket-number into the packet,
and sends the packet to the destination IP-address.
If an IP-packet is received, and the packet
contains the substituted IP-address *AND*
the substituted socket-number, then the "state-table"
is examined.  (If an *EXACT* match is not found,
as in NEOsporin's example, then the IP-packet is
discarded.)  The "state-table" is used to invert
the substitution, and the received IP-packet is
modified, inserting the "private" IP-address
and the original socket-number, and the translated
IP-packet is sent to the "private" PC that made
the request.

> can then bind my security scanner to send info to port 80 of your box

No! No! No!  If your "public" PC creates an IP-packet
which has a socket-number, say '80', which does *NOT*
match the socket-number that was inserted into the
IP-packet that the NAT-server sent to your "public" PC,
then the packet will be *DISCARDED*, because a "session"
between the NAT-server and your "public" PC is based
on *TWO* pieces of information (the socket-number and
the IP-address), not just the *ONE* piece of information
(the IP-address).

To make an analogy: if a "private" friend of mine
is a card-player, and asks me for a "black jack",
and then, on his behalf, I ask you for a "black jack",
then I expect to get a "black jack" from you.
At approximately the same time, my friend can ask me
for a "red queen", and I will ask you for that card.

If you give me a "black king", I will say "you are wrong",
because I have done the book-keeping to record
which card (or cards) that I have asked you to provide
(namely "black jack" and "red queen").

I will *NOT* pass your "black king" to my friend.
Yes, the card is "black", but it is *NOT* a "jack",
so I will *NOT* "relax" my rules to pass the wrong card
to my friend.

> I can overflow or just about anything.

You are wrong.  The NAT-server will just "discard"
your unsolicited IP-packet.

Frankly, I would just "play around" with it.If you want to learn about it you gotta use it and configure it yourself. (else you'll always be asking for someone else's help and free help is worth what you pay for it.)

If XP's firewall doesn't work for you or cause problems with your current setup, you can just shut it off. No harm done.

Here's a good overview of the XP firewall.

http://www.sans.org/rr/win/XP_firewall.php

Oh one other thing...if you have a Linksys router with the lastest firmware. You might want to check to see if you can run Zonealarm Pro with it.

If you can, then Zonealarm pro will work with your router to provide "firewall" functionailty.

It's a nice option :-)

I give, whatever. This is all over his head (Itatsumaki) most likely. He asked a simple question, and I turned the thread into a special olympic's 100m race, even if you win... your still a re**** Do not expect NAT to protect you, as it will not to the degree it has been made to be here. Get yourself a fire wall.
I have my CCNP, and I have been hacking for some time, I over generalized in my example, forgivness plz. Good Luck to all.
-NEO

> Do not expect NAT to protect you,

I disagree.

> Get yourself a fire wall.

NAT, because it uses "stateful-inspection" _DOES_ function
as a firewall -- *ALL* unsolicited traffic is *NOT* allowed
through the NAT-server into your computer(s).

If you do use the XP firewall, enable its "logging",
and look at the logs, and study them, to understand
what is being blocked.

If this were true, no one would run a firewall. Nat (especially static NAT) will not protect you. make your own conclusions, do the homework like it's been suggested. Google is your best bet. If you are unsure as to how your NAT funtions, ask someone, or get a firewall. nmap and quite a few other scanners have techniques to trick BOTH firewalls and NAT. This is my final comment. Or use otta's NAT as it is omniscient, and every NAT engine i used was not.
-NEO

As I stated in my first post

"Although some network gurus suggest that you run both a hardware and software firewall for extra protection."

Otta:

> the PC obtains a "socket" (just a number
> between 1024 and 65535 that is not already being used).

This is wrong, a socket is the port, destination ip, and the name of the transport layer protocol.  This is irrelevent though, as you could argue that the information that followed in your arguement is close enough to the definition.  

Stating this, this argument is irrelevant.  Anybody that thinks NAT is the end all answer to security isn't very bright.  NAT in its nature will deliver traffic between your computer and another host somewhere out there.  That is what it is designed to do.  And with this established, can you honestly argue that this is a good way to secure your network?  It's not.  At best, it is just another protection, in what should be a layered setup.  

Even if NAT was the god sent answer to network security, which it isnt, since if it was there would be no security forums, it would just say "Set up NAT" on @stakes website.  Anyway, getting of on a tangent, even if it was the answer, what happens if your firewall gets owned?  Setting up further security on the inside is a great idea, if not required.  Especially when you consider that the XP firewall is free and only requires the click of a mouse to get running.  The only trade off is system resources.  And most people running XP have plenty of that to burn, or they wouldnt be running XP.  If they want to go a more secure route, any of the fine solutions mentioned here would be even better.

Rant ended

Jim

You might find this site helpful in understanding firewalls:

http://www.practicallynetworked.com/sharing/firewall.htm

Good god, I leave for the weekend and come back to a dozen+ useful answers.  Props to all for the help, much appreciated.  I have no clue how to divvy up the points with this many answers, but you guys are prolly smart enough that you don't care much.  Still, I want to be fair so I'll figure something out and post it here.

Thanks again all,
Tats

The type of router you are using is significant.  Some home routers do not offer stateful packet inspection, others do.  This is central to the discussion of whether your router is even aware of the session when NATing or not.  Otta and Neo seem to be more concerned with oneupmanship than providing useful advice.  My thought is, if you are asking the question then you probably do not want the hassle of maintaining a software firewall, consequences be damned.

My advice.
1. Find out what features your router offers. (can you open and close ports, does it offer stateful packet inspection?)
2. Understand how those features work (i.e. play around).
3. Evaluate how much you enjoy the maintenance aspect.  Programs like Zone alarm can be more hassle than they are worth unless you are willing to take the time to learn and maintain them.

One other thing to keep in mind.  When implementing firewalls a good rule of thumb is block everything from the start and then open only the ports you need for your activities.

> Some home routers do not offer stateful packet inspection

Please name one.  Thanks.
               

Netgear's MR814.

Check it out at http://www.netgear.com/products/routers/comparisonchart_hm.asp?view=hm