This article describes the security features of Internet Connection Sharing (ICS). Although ICS should not be considered a firewall for security purposes, you can use ICS to create a reasonably safe environment while providing full-featured Internet connectivity.

ICS uses Network Address Translation (NAT) technology to route TCP/IP packets between two networks. ICS connects an internal network (usually a small home local area network) and an external network (usually the Internet). ICS associates a TCP/UDP port number to a specific Internet Protocol (IP) address on the internal network. The port number associated to the IP address is recorded in a table.

For example, the IP address for the ICS internal adapter is 192.168.0.1, and the the external ICS adapter has an IP address of 156.59.23.100, which is assigned by the Internet service provider (ISP). The client sends a TCP/IP packet to a Web page at 131.125.13.1 on the Internet at port 80. The packet contains the following information: Because 131.125.13.1 is not local to the 192.168.0.x address range, the packet goes to the ICS computer acting as the default gateway. The ICS computer generates a new packet to send to the Web page at 131.125.13.1. The packet contains the following information: Notice that the values for the source IP address and the source port have changed. In other words, port 3000 is mapped to IP address 192.168.0.2 until the connection is closed. The port mapping is recorded in a table. After the Web page responds, the ICS computer receives a packet containing the following information: The ICS computer then translates the packet and delivers a new packet to the client IP address of 192.168.0.2 where the initial packet originated. ICS detects that port 3000 is assigned to the IP address because the information is recorded in the port mapping table. The packet sent to the client contains the following information: Notice that the destination port and IP address have changed to the IP address and the port number used by the client where the packet originated. Because of this translation process, the Internet detects the local area network (all clients) behind the ICS computer (including the ICS computer) as one IP address.

There are only two ways a packet from the Internet can reach a client behind an ICS computer:

•

The ICS computer translates an incoming packet and sends a new packet based on the translation table to the client computer. A client must send a packet first (thus, establishing a port mapping) before it can receive a packet from the Internet through an ICS computer.

•

The ICS computer is configured to direct all incoming traffic on a specific port to a specific client computer. This method requires changing the default configuration. For additional information, please click the article number below to view the article in the Microsoft Knowledge Base: 231162 (http://support.microsoft.com/kb/231162/EN-US/) How to Map a Port in ICS Using an .inf File For additional information on Network Address Translation, please see RFC 1631.

On the ICS computer, ports 1-1024 are not specifically blocked, with the exception of TCP port 135 and UDP port 139. Blocking these ports prevents File and Printer Sharing requests (SMB requests) from functioning on the external adapter. This affects incoming and outgoing TCP/IP packets on the ICS computer in the following ways:

•

Any packet sent by the ICS computer or received from the Internet using a port greater than 1024 requires translation just as any other client computer behind the ICS computer. For example, a packet originating from the ICS computer and the corresponding response packet on port 5000 need to go through the translation process described earlier in this article.

•

Any packet sent by the ICS computer or received from the Internet using port 1024 or less is sent directly to the Internet or to the program on the ICS computer without being translated. For example, when you open the home page on an ICS computer, a packet is sent on port 80 and goes directly to the Internet without being translated. In addition, a packet received by the ICS computer on port 80 is sent directly to the program on the ICS computer that is actively listening to port 80 (for example, a Web server). For the ICS computer to respond directly to a request on port 1024 or less, a program must be listening for packets on the same port as the request. By default, the ICS computer does not respond to server message block (SMB) requests on ports 135 and 139 because they are blocked.

ICS does not unbind File and Printer Sharing from the external adapter on the ICS computer. Dial-Up Networking (DUN) unbinds File and Printer Sharing from the dial-up adapter where Ethernet adapters (for DSL and cable-modem connections) do not unbind File and Printer Sharing by default. Ports 135 and 139 on the ICS computer are blocked by default on the external adapter to prevent remote computers on the Internet from gaining access to shares and printers on the local network. Blocking these ports does not affect the ICS computer's ability to share files and printers to other computers on the local area network (LAN). Unblocking these ports exposes the local network printers and shares to the Internet and is not recommended.