Sunday, October 17, 2004

Strengthen security by implementing Network Address Translation

you administer a network that has enough IP addresses to cover your hosts and servers, you probably haven't needed to implement Network Address Translation (NAT). NAT allows a single device to act as a proxy between your private network and the Internet, allowing a single routable IP address to represent a large group of computers.
But NAT isn't just for covering a short IP space; it also increases security and eases administration. If you haven't implemented NAT, it may be time to rethink your choice.
Before deciding to implement NAT, it's important to understand how NAT works and to be familiar with the different types of NAT that you can implement.

NAT vs. proxy servers
People sometimes confuse NAT with the term proxy server. However, there's a big difference. NAT is transparent to both the source and destination computers. A proxy server is not transparent; you must configure a source computer to communicate with a proxy server.
In addition, the destination computer sends network requests to the proxy server, which forwards the communication back to the requesting computer. Proxy servers usually work at Layer 4 (Transport) or higher of the OSI Reference Model; NAT is a Layer 3 (Network) protocol.
Now that you understand the differences between NAT and proxy servers, let's examine four types of NAT.

Static
Also known as inbound mapping, static NAT maps an unregistered/nonroutable internal IP address to a registered/routable IP address on a one-to-one basis. This is necessary when a network device needs to be accessible from outside the network.
Example: Your mail server has an IP address of 10.0.1.5 (a nonroutable IP address on the Internet). Your NAT device translates that address to 202.0.1.5 (a routable IP address).

Dynamic
Dynamic NAT maps an unregistered IP address to a registered IP address from a pool of registered IP addresses. Dynamic NAT creates a one-to-one mapping between unregistered and registered IP addresses. However, this mapping varies depending on the registered addresses available in the pool at the time of communication.
Example: An internal client has an IP address of 10.0.1.150. When this address tries to communicate with an outside network, your NAT device translates it to the first available address in the range of 202.0.1.50 to 202.0.1.100.

Overloading
Also known as Port Address Translation (PAT), single-address NAT, or port-level multiplexed NAT, overloading is a type of dynamic NAT that maps multiple unregistered IP addresses to one registered IP address by using source port substitution before it translates the network request.
Example: Your NAT device translates all internal clients to a single routable IP address, but it assigns each source session a different port before sending it to the destination IP address.

Overlapping
Overlapping NAT occurs when the internal IP addresses are routable but used on another network. The NAT device translates these addresses to unique routable addresses before forwarding the communication.
Organizations use this type of NAT when using the same routable addresses for internal clients in physically different locations on the network. You usually implement overlapping NAT using dynamic DNS.
Example: Your NAT device translates a client with an IP address of 202.0.1.50 (a routable address also used by a different client in a physically different location) to an address in the range of 202.0.2.50 to 202.0.2.100.

Final thoughts
Don't worry that implementing NAT will cause a performance decrease on your network. An entry in the address translation table of your router takes about 160 bytes, and a router with only 2 MB of DRAM can process 13,107 simultaneous translations.
This should be sufficient for any small network. In addition, keep in mind that adding memory to your router can help if you encounter a problem.
When implementing NAT, most organizations usually prefer the Dynamic NAT approach. It creates a Layer-3 firewall between the internal network and the Internet.
This way, computers on the Internet can't connect to the internal client unless the internal client initiates the communication. Keeping hostile networks from connecting to your internal clients is a good beginning to securing your network.

0 Comments:

Post a Comment

<< Home