View Full Version : NAT, A General Understanding....

01-31-01, 09:48 AM
NAT can be a very confusing item to many people.
Education is the best security defense, so lets learn a little bit about how NAT came to be and what was it's purpose. RFC 1631 (http://www.cis.ohio-state.edu/htbin/rfc/rfc1631.html) Network Address Translators tells us that NAT was devised as a short term solution to address depletion by address reuse as explained in that article. Interestingly enough, in 1994, NAT's infancy, it was stated that the same characteristics that enhances privacy, potentially makes debugging problems (involving security violations) more difficult to find the host as it hides the IP address of the host.
Although, this makes it difficult to find the host, I can't say that this increases the risks of being violated.


Privacy, Security, and Debugging Considerations

Unfortunately, NAT reduces the number of options for providing
security. With NAT, nothing that carries an IP address or information
derived from an IP address (such as the TCP-header checksum) can be
encrypted. While most application-level encryption should be ok, this
prevents encryption of the TCP header.

On the other hand, NAT itself can be seen as providing a kind of
privacy mechanism. This comes from the fact that machines on the
backbone cannot monitor which hosts are sending and receiving traffic
(assuming of course that the application data is encrypted).

The same characteristic that enhances privacy potentially makes
debugging problems (including security violations) more difficult. If
a host is abusing the Internet is some way (such as trying to attack
another machine or even sending large amounts of junk mail or
something) it is more difficult to pinpoint the source of the trouble
because the IP address of the host is hidden.

The article is worth a read, anyway...

Webopedias explanation of NAT (http://webopedia.internet.com/TERM/N/NAT.html)

Last modified: February 21, 2000
Short for Network Address Translation, an Internet standard that enables a local-area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. A NAT box located where the LAN meets the Internet makes all necessary IP address translations.

NAT serves two main purposes:

Provides a type of firewall by hiding internal IP addresses
Enables a company to use more internal IP addresses. Since they're used internally only, there's no possibility of conflict with IP addresses used by other companies and organizations.
Allows a company to combine multiple ISDN connections into a single Internet connection

Whatis defines NAT (http://whatis.techtarget.com/WhatIs_Definition_Page/0,4152,214107,00.html)

NAT (Network Address Translation) is the translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a company needs and it lets the company use a single IP address in its communication with the world.
NAT is included as part of a router and is often part of a corporate firewall. Network administrators create a NAT table that does the global-to-local and local-to-global IP address mapping. NAT can also be used in conjunction with policy routing. NAT can be statically defined or it can be set up to dynamically translate from and to a pool of IP addresses. Cisco's version of NAT lets an administrator create tables that map:

A local IP address to one global IP address statically
A local IP address to any of a rotating pool of global IP addresses that a company may have
A local IP address plus a particular TCP port to a global IP address or one in a pool of them
A global IP address to any of a pool of local IP addresses on a round-robin basis
NAT is described in general terms in RFC 1631. which discusses NAT's relationship to Classless Interdomain Routing (Classless Inter-Domain Routing) as a way to reduce the IP address depletion problem. NAT reduces the need for a large amount of publicly known IP addresses by creating a separation between publicly known and privately known IP addresses. CIDR aggregates publicly known IP addresses into blocks so that fewer IP addresses are wasted. In the end, both extend the use of IPv4 IP addresses for a few more years before IPv6 is generally supported.

A more detailed & technical discussion can be found here (http://safety.net/nattech.html)

A very informative read is found here (http://www.ietf.org/html.charters/nat-charter.html)

This decribes various types and implementations of NAT (http://www.uq.net.au/~zzdmacka/the-nat-page/natinformation.html)

Peer to Peer Networking with NAT (http://www.alumni.caltech.edu/~dank/peer-nat.html)

Linux & NAT (http://www.suse.de/~mha/HyperNews/get/linux-ip-nat.html)

Vicomsoft has a good explanation. (http://www.vicomsoft.com/knowledge/reference/nat.html)

NAT automatically provides firewall-style protection without any special set-up. That is because it only allows connections that are originated on the inside network. This means, for example, that an internal client can connect to an outside FTP server, but an outside client will not be able to connect to an internal FTP server because it would have to originate the connection, and NAT will not allow that. It is still possible to make some internal servers available to the outside world via inbound mapping, which maps certain well know TCP ports (e.g.. 21 for FTP) to specific internal addresses, thus making services such as FTP or Web available in a controlled way.

All of the aforementioned sites has links included with them for those that are interested in a more indepth study.

In summary, NAT translates your internal IP and helps prevent connections originating from outside of your puter, in effect providing some characteristics of a firewall, however it is not an actual hardware firewall.
It's primary purpose, as initially explained, was to help with IP address depletions. Of course, as a security enhancement, it is better than nothing...

Inquiring minds want to know...

02-01-01, 02:31 AM
Wow great info, but I have to lie down now reading that extremely long post gave me a headache

02-03-01, 11:08 PM
Good info Ken!
Always nice to see you sharing your knowledge and resources. I wonder how many times we will link to this thread :)
I'm sure it will be allot.