Home Page

Firewalls

Email & Spam

Security Terminology

Security Topics

VPN & Cryptography

Wireless

 

Firewalls

Which Network Firewall

Which Home Firewall

Network Firewall Buyers Guide

 

Firewall Terminology

Application Control

Application Layer Filtering

Firewall Authentication

High Availability, Failover, RAID, Clustering, & Redundancy

IPS & IDS Systems

Load Balancing & Link Balancing

NAT

Network Firewall Buyers Guide

Next-Gen vs UTM

Packet Filtering

Parental Control

Perimeter Network or DMZ

Personal or Hardware Firewall?

Ports Protocols and IP Addresses

QOS

Stateful Packet Filtering

SSL-Content-Scanning

UTM

What is a Firewall?

Which home Firewall?

Which Network Firewall?

Zero Day Protection

 

Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?

 

What is Guide

What is a Firewall?

What is a Virus?

What is Spam?

 

Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security

 

Other

Top 8 Internet Security Tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?

 

 

 

 

NAT (Network Address Translation) - Current network security features used today

 

 

NAT (Network Address Translation)

Primarily NAT was introduced to the world of IT and networking due to the lack of IP addresses, or looking at it from another view, due to the vast amount of growing IT technology relying on IP addresses. To add to this, NAT adds a layer of security, by hiding computers, servers and other IT equipment from the outside world.

How NAT works

When computers and servers within a network communicate, they need to be identified to each other by a unique address, in which resulted in the creation of a 32 bit number, and the combinations of these 32 bits would accommodate for over 4 billion unique addresses, known as IP address. This was named IPv4, and although over 4 billion addresses sounds a lot, it really is not considering how fast the world of computers and the internet has grown.

To circumvent this problem, a temporary solution was produced known as NAT. NAT resulted in two types of IP addresses, public and private. A range of private addresses were introduced, which anyone could use, as long as these were kept private within the network and not routed on the internet. The range of private addresses known as RFC 1918 are;

Class A 10.0.0.0 - 10.255.255.255

Class B 172.16.0.0 - 172.31.255.255

Class C 192.168.0.0 - 192.168.255.255

NAT allows you to use these private IP address on the internal network. So within your private network you would assign a unique IP address to all your computers, servers and other IP driven resources, usually done via DHCP. Another company can use the same private IP addresses as well, as long as they are kept internal to their network. So two companies maybe using the same range of IP addresses but because they are private to their network, they are not conflicting with each other.

However when internal hosts do need to communicate to the public network (Internet) then this is where a public address comes into the equation. This address usually purchased from an ISP is a routable public address everyone can see, which would represent your network gateway. This public address would be unique, no one else would use this address.

Now getting to the point; When a host on the internal network with an internal IP address does need to communicate outside it's private network, it would use the public IP address on the network's gateway to identify itself to the rest of the world, and this translation of converting a private IP address to public is done by NAT. For example a computer on an internal address of 192.168.1.10 wanted to communicate with a web server somewhere on the internet, NAT would translate the address 192.168.1.10 to the company's public address, lets call this 1.1.1.1 for example. so that the internal address is identified as the public address when communicating with the outside world. This has to be done because when the web server somewhere on the internet was to reply to this internal computer, it needs to send this to a unique and routable address on the internet, the public address. It can not use the original address of 192.168.1.10, as this is private, none routable and hidden from the outside world. This address, of 1.1.1.1 would be the address of the public address for that company and can be seen by everyone. Now the web server would reply to that public address, 1.1.1.1. NAT would then use its records to translate the packets received from the web server that was destined to 1.1.1.1 back to the internal network address of 192.168.1.10, and though the computer who requested the original info, will receive the requested packets.

Now you can obviously see the two benefits of NAT. Firstly it would save on the IP addresses we use, as every single computer does not need a public address, and also it would hide these private computers from the outside world. Everyone can only see the public address, the rest is hidden behind this public address. So from the internet only the public address on the external interface of the firewall or router can be seen, and nothing beyond it.

Types of NAT

Three main types of NAT rules are used today depending on what needs to be accomplished;

Static NAT

A pool of public IP addresses are assigned to the NAT device. A private IP address can then be statically mapped to anyone of these public addresses. This type of NATTING scheme is usually used for servers requiring the same IP address always, hence the name "static", so server 1 will always have the same IP address assigned to it, server 2 will have a different public IP address assigned to it and so on.

Dynamic NAT

Again the NAT device will consist of a pool of IP addresses. This time though the pool of IP addresses will be used when needed and then given back to the pool. So if computer A needed a public address, it would take one from the pool, then hand it back when done. The next time the same computer wanted an IP address it may be assigned a different public address from the pool, because the one used previously may be in use by another computer, hence the name "dynamic". So users who want to communicate on the internet at any one time will be limited by how many public IP addresses are available in the NAT pool. A company would purchase a number of public IP's depending on their need.

Port Address Translation (PAT)

In this type of setup, a company would only have one public IP address assigned to their network, and so everyone would share this one public address when using the internet, browsing the web for example. Yes, you may be asking how can everyone share one address, well the clue lies within the name, Port address translation. When a computer wants to use the internet, the NAT device, using the PAT method will remember the IP address and source port of the internal host. For example 192.168.1.10 with a source port of 55331 wanted to browse Amazon.com. The NAT device will keep a note of this, and when Amazon replies to the public address and the port number of 55331, the NAT device will use the PAT method and look up the port information which maps to the internal computer requesting it. So it would be saying, this information Amazon has sent back to the public address and port number 55331, maps to the IP address 192.168.1.10 who originally requested it, though the information is for that computer. So the connections are uniquely identified by a source port, all using the same public IP but with unique source ports to identify who requested what information.

A company would save a reasonable amount of money and IP addresses using this method because it is only using one IP address. This has been a major factor to why IPv6 has been mentioned for some years now but still not required in most countries.

NAT is also implemented in home based routers and hardware firewalls such as the Netgear's and the Linksys of this world as well as the high end hardware firewalls such as the likes of Cisco and Juniper.

This has proved a valuable feature on hardware firewalls for saving public IP addresses and also a countermeasure for some types of attacks such as a reconnaissance attack.

Disadvantages of NAT

As with everything, NAT does have it's drawbacks. Some applications and services such as VPN and video conferencing struggle to process via NAT (Not entirely true as you can most of the time get them configured to work with NAT, but can get a little messy when setting rules up in applications,, routers and firewalls).

IPv6

However to circumvent the above issue a few extra public IP addresses can be purchased for these dedicated services. For the long run however, IPv6 is already being rolled out in some technologies and some parts of the world. This addressing scheme uses 128bit numbering scheme as opposed to IPv4's 32bits used for addresses. IPv6 supports 2 to the power of 128 addresses, compared to IPv4's 2 to the power of 32, now that is a massively huge increase of IP addresses, though future proofing the growth of IP addressing using IPv6.

For further reading, there's some excellent electronic ebooks available for download from eBooks.com