SAN MATEO (03/27/2000) - My company has around 20 Windows 95 PCs running on a peer-to-peer, unswitched Ethernet network. We have two of these PCs, also running Microsoft Corp. Windows 95, set aside to act as full-time file-and-print servers. This system is not secured in any way. We do not use passwords for any shared volumes or devices. I felt fine with this setup until recently when my company decided to install a DSL modem through a local provider. I insisted on a firewall on our site, but was told by the local carrier that their use of NAT [network address translation] would be all the protection we needed. The decision-makers in my company have put their trust in the provider and installed the DSL system. I can see NAT as a fine addition to a security system, but is it one by itself? Also, won't other customers on the same gateway but behind the NAT be able to have full access to our systems?
Lori: You have good reason to be nervous about security risks in your situation. By installing DSL into your organization, you are introducing some vulnerabilities because you are always connected to the Internet and exposed to potential hackers. NAT is a good first line of defense in providing security on your company's network, but the question remains: Is this enough? NAT does provide some security by hiding your internal IP addresses from the outside, but it does not stop hackers from trying to break through. Because you are a small company with only 20 machines, this line of security may be all you need.
However, you need to ask yourself what would happen if your company data were lost or damaged. What would be the cost of setting things right?
If the decision-makers in your organization are not ready to invest in a firewall solution, there are alternatives for protection. You could install network security software such as Network ICE's BlackICE Defender 2.0 (www.networkice.com), a $40 package. BlackICE and others monitor Internet traffic coming and going from your computer and will alert you if there is an attempted intrusion. This would at least give you an indication of the level of security you may require. Another option is a software firewall, such as Computer Associates' SessionWall-3 (www.cai.com), which costs less than $2,000.
Will other customers on the same gateway behind the NAT have access to your systems? That will depend on how your DSL provider has implemented NAT. You should check with them for specifics. But to start you on the right track, I recommend that you at least establish password protection on your clients.
Brooks: Once you enter the world of DSL and always-on, high-speed Internet connections, you definitely need to be more serious about security. Although a real firewall is a more flexible and more secure approach, NAT may be enough for you, depending on how it's configured.
First, NAT in itself doesn't really do much for you. The important thing is that your internal computers be on an unroutable network -- usually 10.x.x.x or 192.168.x.x. The idea here is that people can't send packets directly to your computers.
I'm confused where your NAT is. Typically, NAT lives on a firewall or router right at your upstream connection. In this configuration, your office would have one external IP address, and all traffic to and from the inside would go through various ports on that one IP address. If the NAT action is going on upstream, for instance, to your service provider, I would definitely be concerned. Although the ISP could have things configured to protect you from their other customers, you're at their mercy, and you may well have security problems that come and go over time.
I would strongly recommend that you manage the NAT yourself, and I agree with Lori that there are some low-priced solutions that will be more secure and more solid than a questionably implemented NAT. In addition to the solutions she listed, you might look at a small piece of dedicated hardware, such as those from SonicWall (www.sonicwall.com).
Finally, we recommend you read InfoWorld's security column, Security Watch, for tips on recognizing vulnerabilities and putting an end to them. You'll find this week's column on page 49.
Brooks Talley is senior business and technology architect for InfoWorld.com.
Lori Mitchell is a senior analyst in the Test Center. Send your questions for them to firstname.lastname@example.org.