If you switch off NAT for cable internet router does it compromise security of router

[[U]ber|Noob]

My question is if you switched off the NAT feature of a cable internet modem would it compromise the security of the router where the router could be hacked, irrespective if you have a good computer firewall or not?

 

[/usr/home]

Technically pure NAT is not in any way a firewall. Typically NAT and firewall go hand in hand on consumer networking gear though.

If you are still using a firewall then no, turning off NAT won't put you at more of a risk.

Are you talking about a router behind a modem or a modem/router all-in-one?

 

[[U]ber|Noob]

A modem router all in one. When you turn off NAT the firewall option goes away so I assume it also turns off the firewall.

 

[REDYOUCH]

Generally speaking, turning off a NAT option or configuration would put you at less risk.

 

[[U]ber|Noob]

So the modem couldn't be hacked for example while the computer isn't on?

 

[Ehren8879]

So the modem couldn't be hacked for example while the computer isn't on?

No, disabling NAT on a gateway modem will essentially make it a standard, bridging modem. No part of your modem will be globally reachable, and you'll be no more vulnerable than with a standard one.

 

[[U]ber|Noob]

Thanks, that's what I wanted to know.

So it can only receive commands from a computer connected via ethernet, not from the internet?

 

[Ehren8879]

Thanks, that's what I wanted to know.

So it can only receive commands from a computer connected via ethernet, not from the internet?

Yes, and your ISP

 

[jjeff1]

I'm reading the original question and comments and I think some core concepts here aren't being understood.

In a typical home or small business with internet delivered via cable modem, the ISP hands you a network connection, normally Ethernet, and allocates you between one and five public IP addresses via that connection.

Those public IPs are reachable from the rest of the Internet, and in turn allows you to reach the rest of the Internet. You could plug your PC into that connection and reach the Internet just fine. The problem is the entire Internet can also reach your PC, without restriction. This is a bad thing, there are security holes in your operating system that would-be attackers could exploit to turn your PC into a spam-sending machine or steal your personal info or whatever...

So instead, attached to that connection, you place your cable modem router. First, understand that the cable modem router is NOT a router in the traditional sense, it is a firewall. We'll just call it a gateway from now on. This is important, read on...

So now you have the WAN (or Internet) port on your gateway plugged into that cable modem, and you have your PC attached to the LAN (or wireless, same difference) side of the gateway.

Your gateway will assign your PC a private IP address, usually something like 192.168.1.XXX. This 192.168.1.XXX network exists only in your home/business. And in fact, everyone else who has a gateway like yours has that same 192.168.1.xxx network at home. Private IP addresses aren't reachable on the Internet.

So how does the rest of the Internet know to talk to you, when hundreds or thousands of other people all have the same 192.168.1.xxx IP address?

The gateway is acting as a firewall, which blocks any incoming traffic that you haven't specifically requested. It's also doing NAT. NAT examines all the network traffic going through the gateway and modifies the network address; mapping that one public IP address from your ISP to all the various IP addresses within your network.

So, now if we disable NAT, that private IP address space has no way to communicate with the Internet, you'll cut yourself off from the rest of the world.

 

[/usr/home]

^ It's still a router... It's routing between two subnets, that's the definition of a router.

 

[shade91]

It's still a router... It's routing between two subnets, that's the definition of a router.

This is about the only piece of information in this thread that is actually correct. The rest is mis-information or too vague to be accurate.

If you're talking a pure router with no firewalling capabilities then NAT is by far more secure since a source heading inward has no direct access to an internal device unless they craft specific packets to trick the router to pass them through. Has this ever been a method used by a hacker for hacking an internal network? No. They have easier methods for getting inside. Hackers don't look for a back door or some kind of Matrix-like SSHv1 exploit. They walk right in the webapp's front door that you poorly secured because you spent so much time fine-tuning advanced firewalling options or patching your systems.

If the router does have firewalling capabilities then neither method is more inherently secure if NAT is turned off assuming you have a default deny rule on traffic heading inward from internet to internal network. It wouldn't matter if someone knew the public IP of a specific device (assuming you had enough external routable IPs to assign to your internal network) because the default deny rule would block them in their tracks.

Note: I'm making an assumption that your system isn't infected with malware that periodically checks in and provides data to a C&C. In that case, neither method will protect you. Keep in mind once IPv6 goes fully mainstream the general public will have the ability to publicly IP every device they have and no longer have a need for NAT.

 

[[U]ber|Noob]

Problem is with nat off many options disappear including the firewall option. So I make sure the computer has a good firewall instead but I just wondered does that mean the router would be hackable by itself in any way from the internet?

 

[/usr/home]

Better question is why do you want to turn off NAT?

 

[[U]ber|Noob]

It overloads the modem and it goes extremely slow especially if you do more than one thing at once or two computers.

 

[Dead Parrot]

Assume that any internet connected device can be hacked if someone is smart enough/motivated enough. In your case, the gateway gizmo is probably assuming that if you want NAT off, you want it in bridge mode so you can use a different firewall/router device. Bridge mode means the device is actually close to a real modem, becoming just a translation device. Your firewall device/computer will have to handle the login and such to your ISP. I run my DSL modem in bridge mode, letting my firewall gizmo handle the PPPOE login. Doing that avoids another layer of NAT and lets me use a real firewall/router rather then the very limited one included in the modem.

 

[shade91]

It overloads the modem and it goes extremely slow especially if you do more than one thing at once or two computers.

Get a better modem/router. Disabling NAT won't help there.

 

[Ehren8879]

My replies were based on the assumption the OP wishes to put the device in bridge mode, hence why I used the terminology. I suppose I should have asked if he has a static subnet and simply doesn't want the device to perform NAT functions.