Intro to Network Address Translation (NAT)
Network Address Translation (NAT), originally defined in RFC 1631 and extended in RFC 3022, is the process where a network device, usually a firewall, modifies IP address information in IP packet headers while in transit across a traffic routing device. The main use of NAT is to limit the number of public IP addresses an organization or company must use, for both economy and security purposes. Additionally, NAT enhances internal network security by limiting the access of external computers into the internal IP network space.
The most common form of network translation involves a large private network using addresses in a private range. The private address space described in RFC 1918 consists of three sets of addresses reserved by Internet Assigned Numbers Authority (IANA) for use by private networks. These are:
- 10.0.0.0 through 10.255.255.255 (or 10.0.0.0/8)
- 172.16.0.0 through 172.31.255.255 (or 172.16.0.0/12)
- 192.168.0.0 through 192.168.255.255 (or 192.168.0.0/16)
The private addressing scheme works well for computers that only have to access resources inside the network, like workstations needing access to file servers and printers. Routers inside the private network can route traffic between private addresses with no trouble. However, any computer required connection to the Internet needs a public IP address issued by the IANA. IANA allocates public IP addresses and guarantees them to be globally unique on the Internet. This is where NAT comes into play.
A workstation inside a network makes a request to a computer on the Internet. Routers within the network recognize that the request is not for a resource inside the network, so they send the request to the firewall. The firewall reads the source IP address of the packet and checks if the packet matches the criteria specified for translation. The firewall has an ACL (Access Control List) that identifies the inside network as valid hosts for translation. It then makes the same request to the Internet using its own public address. When the computer on the Internet responds, the packet comes back to the public address of firewall. The firewall refers to its NAT table and sees that this was a previously translated IP address. Then, it translates the inside global address to the inside local address, and the packet is forwarded to the computer inside the private network. If it does not find a translation that match, the packet is dropped. When NAT is used in this way, all users inside the private network access the Internet have the same public IP address when they use the Internet. This means that only a single, unique IP address is required to represent an entire group of computers. To avoid ambiguity in the handling of returned packets, a one-to-many NAT must alter higher level information such as TCP/UDP ports in outgoing communications and must maintain a translation table so that return packets can be correctly translated back.
Internal web server which is not directly connected to the Internet are assigned public IP addresses on the firewall, allowing the public to access the servers only through that IP address. This requires configuring a static NAT translation between the dedicated public IP address and the dedicated private IP address of the web server. However, as an additional layer of security, the firewall acts as the intermediary between the outside world and the protected internal network. Additional rules can be added, including which ports can be accessed at that IP address.
NAT can also be used to allow selective access to the outside of the network, too. Workstations or other computers requiring special access outside the network can be assigned specific external IPs using NAT, allowing them to communicate with computers and applications that require a unique public IP address. Again, the firewall acts as the intermediary, and can control the session in both directions, restricting port access and protocols.
In addition, NAT eases administration by insulating an organization from external IP address changes. Without NAT, if an organization switches Internet Service Provider (ISP) and is assigned a new public IP address, they would have to change every hard-coded address used in their organization (including configuration information like DHCP servers, DNS servers, etc.).
Another useful feature of NAT is traffic logging. Since all the traffic to and from the Internet has to pass through a NAT gateway, it allows detailed logging of communications between the network and the outside world. The log file can be used to generate various traffic reports, such as traffic breakdown by user, by site, by network connection etc.
As the Internet continues to expand at an ever-increasing rate, NAT offers a fast and effective way to expand secure Internet access into existing and new private networks, without having to wait for a major new IP addressing structure. It offers greater administrative flexibility and allows for stricter control of access to resources on both sides of the firewall. A common misconception is that NAT will allow a company to hide your internal network and ensure network security for the organization. That can be an added security benefit, but we should not rely on it as the only security measure.
The most common form of network translation involves a large private network using addresses in a private range. The private address space described in RFC 1918 consists of three sets of addresses reserved by Internet Assigned Numbers Authority (IANA) for use by private networks. These are:
- 10.0.0.0 through 10.255.255.255 (or 10.0.0.0/8)
- 172.16.0.0 through 172.31.255.255 (or 172.16.0.0/12)
- 192.168.0.0 through 192.168.255.255 (or 192.168.0.0/16)
The private addressing scheme works well for computers that only have to access resources inside the network, like workstations needing access to file servers and printers. Routers inside the private network can route traffic between private addresses with no trouble. However, any computer required connection to the Internet needs a public IP address issued by the IANA. IANA allocates public IP addresses and guarantees them to be globally unique on the Internet. This is where NAT comes into play.
A workstation inside a network makes a request to a computer on the Internet. Routers within the network recognize that the request is not for a resource inside the network, so they send the request to the firewall. The firewall reads the source IP address of the packet and checks if the packet matches the criteria specified for translation. The firewall has an ACL (Access Control List) that identifies the inside network as valid hosts for translation. It then makes the same request to the Internet using its own public address. When the computer on the Internet responds, the packet comes back to the public address of firewall. The firewall refers to its NAT table and sees that this was a previously translated IP address. Then, it translates the inside global address to the inside local address, and the packet is forwarded to the computer inside the private network. If it does not find a translation that match, the packet is dropped. When NAT is used in this way, all users inside the private network access the Internet have the same public IP address when they use the Internet. This means that only a single, unique IP address is required to represent an entire group of computers. To avoid ambiguity in the handling of returned packets, a one-to-many NAT must alter higher level information such as TCP/UDP ports in outgoing communications and must maintain a translation table so that return packets can be correctly translated back.
Internal web server which is not directly connected to the Internet are assigned public IP addresses on the firewall, allowing the public to access the servers only through that IP address. This requires configuring a static NAT translation between the dedicated public IP address and the dedicated private IP address of the web server. However, as an additional layer of security, the firewall acts as the intermediary between the outside world and the protected internal network. Additional rules can be added, including which ports can be accessed at that IP address.
NAT can also be used to allow selective access to the outside of the network, too. Workstations or other computers requiring special access outside the network can be assigned specific external IPs using NAT, allowing them to communicate with computers and applications that require a unique public IP address. Again, the firewall acts as the intermediary, and can control the session in both directions, restricting port access and protocols.
In addition, NAT eases administration by insulating an organization from external IP address changes. Without NAT, if an organization switches Internet Service Provider (ISP) and is assigned a new public IP address, they would have to change every hard-coded address used in their organization (including configuration information like DHCP servers, DNS servers, etc.).
Another useful feature of NAT is traffic logging. Since all the traffic to and from the Internet has to pass through a NAT gateway, it allows detailed logging of communications between the network and the outside world. The log file can be used to generate various traffic reports, such as traffic breakdown by user, by site, by network connection etc.
As the Internet continues to expand at an ever-increasing rate, NAT offers a fast and effective way to expand secure Internet access into existing and new private networks, without having to wait for a major new IP addressing structure. It offers greater administrative flexibility and allows for stricter control of access to resources on both sides of the firewall. A common misconception is that NAT will allow a company to hide your internal network and ensure network security for the organization. That can be an added security benefit, but we should not rely on it as the only security measure.
Comments
Post a Comment