Why is NAT good for you?
Recent articles have pointed to a 50% chance that an "unprotected Windows PC" will be infected within 12 minutes of being connected to the Internet.
Globe and Mail article on exploits of Windows Systems
What this means is that if a machine is installed with Windows and then goes online to obtain the necessary security updates, it is probably exploited before completing the update process, with all the negative consequences thereof. Windows XP with Service Pack 2 is already partially "hardened" compared to prior versions of Windows, which makes a most compelling argument for updating to the newer operating system if it is possible when it becomes necessary to reinstall windows. However, it is often necessary to reinstall Windows due to some calamity that befell the operating system, and such reinstalls usually will be with the existing operating system the machine is licensed for. If you only have 12 minutes before having a 50/50 chance of being exploited, how in the world can you safely update it?
One way is to use "slipstream" updates or manually installing updates that were obtained by other means, but this is a complex and confusing undertaking for the average computer user. Is there a simpler way?
It turns out there is: use a NAT capable router. Almost all "broadband" routers come with NAT or Network Address Translation. NAT isn't a "true" firewall, but it eliminates nearly all attack vectors that Windows is normally exposed to during the update process. In addition, they are incredibility easy to set up, which can't be said of "true" firewalls. (On the other hand, if you many machines or special security needs, NAT can't replace the capabilities of the true firewall products, so this advice is mostly for those with home computers.)
If you have a machine behind a NAT router (or even better, one a true firewall), you can safely use the Windows update service to bring your machine up to date and secure it against the known vulnerabilities. What's better is that the NAT functionality will protect against the "remote exploit" vulnerabilities that come to light in the future.
A NAT capable broadband router should cost $50-$100 for a 4 port version, which gives the additional benefit of allowing more than one machine to share a single broadband connection. It is a small investment when you consider the cleanup costs of an exploited machine.
Note that a NAT capable device or a firewall is not a magical solution... it will not protect against viruses, Trojans and malware that arrive from websites that you download programs from (intentinally or unintentionally) or e-mail. The best defense is a layered defense, which means a NAT capable device or firewall, a "software" firewall (a limited one is provided in Windows XP Service Pack 2) and an anti-virus program. The more layers of defense, the less likely any one failing will cause your machine to be exploited. Note though that third party software firewalls and anti-virus programs must be kept up to date to remain effective and not become a potential path of exploitation themselves. These products will be discussed in a later article.