Network Address Translation (NAT) is the process where a network device, usually a firewall, assigns a public address to a computer (or group of computers) inside a private network. The main use of NAT is to limit the number of public IP addresses an organization or company must use, for both economy and security purposes.
The most common form of network translation involves a large private network using addresses in a private range (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to 192.168.255.255). The private addressing scheme works well for computers that only have to access resources inside the network, like workstations needing access to file servers and printers. Routers inside the private network can route traffic between private addresses with no trouble.
However, to access resources outside the network, like the Internet, these computers have to have a public address in order for responses to their requests to return to them. This is where NAT comes into play.
Internet requests that require Network Address Translation (NAT) are quite complex but happen so rapidly that the end user rarely knows it has occurred. A workstation inside a network makes a request to a computer on the Internet. Routers within the network recognize that the request is not for a resource inside the network, so they send the request to the firewall.
The firewall sees the request from the computer with the internal IP. It then makes the same request to the Internet using its own public address, and returns the response from the Internet resource to the computer inside the private network. From the perspective of the resource on the Internet, it is sending information to the address of the firewall. From the perspective of the workstation, it appears that communication is directly with the site on the Internet.
When NAT is used in this way, all users inside the private network access the Internet have the same public IP address when they use the Internet. That means only one public addresses is needed for hundreds or even thousands of users.
Most modern firewalls are state full – that is, they are able to set up the connection between the internal workstation and the Internet resource. They can keep track of the details of the connection, like ports, packet order, and the IP addresses involved. This is called keeping track of the state of the connection. In this way, they are able to keep track of the session composed of communication between the workstation and the firewall, and the firewall with the Internet. When the session ends, the firewall discards all of the information about the connection.
There are other uses for Network Address Translation (NAT) beyond simply allowing workstations with internal IP addresses to access the Internet. In large networks, some servers may act as Web servers and require access from the Internet. These servers are assigned public IP addresses on the firewall, allowing the public to access the servers only through that IP address.
However, as an additional layer of security, the firewall acts as the intermediary between the outside world and the protected internal network. Additional rules can be added, including which ports can be accessed at that IP address. Using NAT in this way allows network engineers to more efficiently route internal network traffic to the same resources, and allow access to more ports, while restricting access at the firewall. It also allows detailed logging of communications between the network and the outside world.
Additionally, NAT can be used to allow selective access to the outside of the network, too. Workstations or other computers requiring special access outside the network can be assigned specific external IPs using NAT, allowing them to communicate with computers and applications that require a unique public IP address. Again, the firewall acts as the intermediary, and can control the session in directions, restricting port access and protocols.
NAT is a very important aspect of firewall security. It conserves the number of public addresses used within an organization, and it allows for stricter control of access to resources on both sides of the firewall.
Benefits of NAT
The first advantage of NAT is to simplify network management by allowing the administrator free to adopt the internal addressing scheme it wants. Being private, the internal addressing plan does not depend on external constraints that administrators do not always master. For example, if a company uses a public addressing plan and it changes ISPs, it must change the address of all terminals that make up its network. On the contrary, with NAT and private addressing plan, the choice of a new Internet service provider has no impact on the terminals. In this case, the administrator does not need to reconfigure the IP addresses of all devices in its network. It is sufficient to modify, at the NAT gateway, the pool of public IP addresses, which is dynamically allocated to the private IP addresses of the local network devices.
The second advantage of NAT is to save the number of public IP addresses. The IP network protocol, which is used in today’s Internet in its version 4, has a significant limitation because the number of available IP addresses is small compared to the number of terminals that can be connected to the Internet. As this resource is scarce, its availability at a cost to administrators who want to benefit.
NAT addresses this shortage own address to the IP version 4 by providing the ability to save IP addresses at two distinct levels. All terminals in a local network does not necessarily need to be reachable from the outside, but can be limited to an internal network connection. For example, intranet servers, corporate directories, servers dedicated to human resources with confidential information staff monitoring or testing many servers do not have to be reachable from the Internet, but only internally within the company. Therefore, these servers can be enough of a private IP address, which will never be “flattered” by the NAT box since these servers receive requests but never broadcast.
A second level of public IP addresses economy is operated with the mechanism that we mentioned in the previous section, that will hide several terminals each having a private IP address with a single public IP address, playing on ports used. This method is widely used because it does not impose any conditions on the number of terminals that can access the Internet in the local network.
Another significant advantage of NAT for safety. The terminals have indeed extra protection, since they are not directly addressable from outside. In addition, the NAT box offers the guarantee that all flows passing between the internal and external network always go through him. If a terminal is poorly protected and do not have an effective firewall, the network where it connects may add additional protection mechanisms within the NAT gateway, since it is a must for all streams . Overall, the administrator concentrate security mechanisms to a single, centralized point of control. This explains why, in many cases, NAT boxes are coupled with flow filtering firewall.