Machines on a private network connected to the Internet through a machine running NAT32 are quite secure per default, as long as the following conditions are met:
Earlier versions of NAT32 supported a "single adapter" option, allowing the private machines and the ISP's network (cable modem or similar) to be reached via a single adapter. This option was quite useful in cases where resources were limited, but it did increase security risks, because all the private machines were visible to all machines on the cable modem (or similar) network. The "single adapter" option is no longer supported by NAT32.
Condition 2 is important because the only way for a packet from the Internet to reach a private machine is through NAT32's port mapping mechanism. If you choose to add permanent port mappings, it is your responsibility to ensure that the applications which receive such traffic are trusted and securely configured.
HOW TO protect your NAT32 machine from hackers:
Requirement 2 can be satisfied as follows:
C:\WINNT>netstat -an
Active Connections
Proto Local Address
Foreign Address State
TCP 0.0.0.0:135
0.0.0.0:0
LISTENING
TCP 0.0.0.0:135
0.0.0.0:0
LISTENING
TCP 0.0.0.0:1027
0.0.0.0:0
LISTENING
TCP 127.0.0.1:1025
0.0.0.0:0
LISTENING
TCP 127.0.0.1:1025
127.0.0.1:1028 ESTABLISHED
TCP 127.0.0.1:1026
0.0.0.0:0
LISTENING
TCP 172.16.2.2:137
0.0.0.0:0
LISTENING
TCP 172.16.2.2:138
0.0.0.0:0
LISTENING
TCP 172.16.2.2:139
0.0.0.0:0
LISTENING
UDP 0.0.0.0:135
*:*
UDP 172.16.2.2:137
*:*
UDP 172.16.2.2:138
*:*
C:\WINNT>
Requirement 3 requires constant vigilance, perusal of security bulletins, and the installation of service packs from your OS vendor as these become available. All applications which have published security weaknesses should be updated, as these very quickly become prime targets for hackers. Remember: there is no such thing as an "Install and Forget" firewall, keeping a network secure requires much time and effort.
IMPORTANT
You must warn your users about the risks involved in executing code from untrusted sources, including EXE files, WORD documents and VBS scripts sent to you per email or downloaded from the Internet. No firewall can protect you against viruses and trojans which a user has voluntarily transferred to his/her machine.
Limitations of Firewalls
Be cautious with "personal firewalls", as most of them have severe limitations and may well give you a false sense of security. Some of those limitations are:
Limitation 2 is due to the fact that most users simply do not have the knowledge and the time needed to keep a firewall secure. Again, security is really a service you should purchase from your ISP, but very few ISPs to date advertise the security levels of their service.
Limitation 3 means that you must inform yourself of the known security holes in all software you are using. Your ISP can't help you with this one, it is up to you to learn of these problems and install appropriate fixes.
Finally, remember that the hackers know of these limitations too, and so they concentrate their attacks in those areas.
Choice of Firewall
Any firewall which blocks traffic at the NDIS layer may be incompatible with NAT32.
The Windows Firewall works with NAT32, but note that it does not block unwanted outgoing traffic, thus leaving you susceptible to malware that sends personal information out to the Internet.
The free Zone Labs product works with NAT32 when used in its "medium security" mode, the full version works in all modes.
The BlackIce Defender firewall also works with NAT32, but as no evaluation version is available, I can't comment on its functionality. It seems to intercept only Winsock traffic, and therefore does not see NAT32's traffic (which is sent and received via the WinPkFilter driver).
NAT32 Stealth Mode
Whenever an external computer tries to contact your machine at some given port number, the Host Requirements RFC states that an ICMP Destination Unreachable, Port Unreachable packet should be sent back to that computer if no application is listening at the requested port. Unfortunately, hackers use Port Scanning software to contact your machine and then determine exactly which ports are responding and which aren't. They use the ICMP response to quickly move from one port to the next. If no such response is sent, their Port Scanners need to timeout for each port tested, and this considerably lengthens the time taken for a complete scan to be completed.
NAT32 therefore has a command which turns the transmission of such ICMP responses on or off:
stealth [on|off]
The default is off but this will usually be overridden in file
startup.