It is becoming increasingly common to see VPN providers offering NAT firewall services, usually as an optional extra. But what does this mean, and why should I want it? The more tech-savvy out there may be even more confused as every home and office router includes basic NAT filtering, so why should you need an additional service?
What is a Firewall?
So let’s start with the basics. A firewall is a ‘thing’ that sits between a secure Local Area Network (LAN) such as a home WiFi setup, and a less secure area such as the internet. Its purpose is to control communications between the two, by analyzing the data packets and determining what to do with them. Firewalls are therefore very useful for stopping hackers who use various techniques to insert malicious packets onto computers.
A firewall can be either a piece of software (often called a ‘personal firewall’) or a hardware network device. Most modern Operating Systems, such as Windows (Vista onwards) and OSX have at least a basic personal firewall built-in.
What is NAT?
Network Address Translation (NAT) is the process of modifying the IP information in IP packet headers so that the packets can be routed to the required destination. It is used in home routers (such as the typical WiFi router) to allow a number of devices (such as desktop computers, laptops, games consoles, mobile phones, and internet-enabled televisions), each with their own network address, to connect to the internet using the one external IP you are assigned by your ISP.
Devices connected to LAN <-> NAT router <-> ISP <-> internet
Because IP packets that are not recognized are discarded, the NAT process acts as a simple but effective firewall, blocking incoming traffic unless it is in response to previously sent outgoing traffic i.e. blocking unsolicited traffic.
VPNs and NAT Firewalls
What all this means is that normally, when you are connected to the internet through a router, you are protected by a hardware firewall that provides a good first line of defense against would-be hackers. The problem with using a personal VPN service, however, is that the encrypted VPN tunnel between your PC and the VPN server also tunnels through the NAT firewall (which cannot read the packets headers, as they are encrypted). This means that you lose the protection afforded by the NAT firewall, and malicious IP packets can enter your system from your public, visible IP address.
Device connected to LAN <=>Home router NAT firewall <-> ISP <=> VPN server <-> Internet
(all connection within the <=> are inside an encrypted VPN tunnel).
VPN providers who offer a NAT firewall service place a NAT firewall between the VPN server and the internet so that all internet traffic is filtered through the NAT firewall.
Device connected to LAN <=>Home router NAT firewall <-> ISP <=> VPN server <-> NAT firewall <-> Internet
Can’t I just use a personal firewall like the one that came with my OS?
It is always a good idea to use at least the firewall that came with your OS, as these provide a more sophisticated firewall solution to basic NAT filtering. Indeed, it is encouraged to use a third party firewall solution for even more comprehensive cover. However, not only is a NAT hardware firewall an extra line of defense, but it filters out a lot of potential threats before a more processor-intensive firewall has to deal with them, and possibly throw up another annoying ‘Do you want to allow this connection?’ dialogue for you to deal with.
In addition to this, while desktop Operating Systems these days usually have built-in firewalls, other devices (most notable mobile phones) do not, and therefore receive no firewall protection when using VPN.