Network Address Translation (NAT) has become a standard tool for both connecting and hardening networks. It is often implemented to solve certain network design issues, but it also offers significant security benefits as a hardening technique. To better understand and define NAT, it is important to know a little bit about the history and planning of the Internet itself.
For a computer to communicate with other computers and Web servers on the Internet, it must have an IP address. An IP address is a unique number that identifies the location of your computer on a network. All computers on networks that are set up using the TCP/IP protocol (the official protocol of the Internet) must have an IP address in order to communicate.
When IP addressing was conceived, it seemed as though there were plenty of addresses to go around. In theory, there could be as many as 4,294,967,296 (232) unique IP addresses. The number of available addresses is actually smaller (approximately3.3 billion) because of the way that the addresses are separated into classes, and because some addresses are set aside for testing or other special uses.
With the explosion of the Internet and the increase in home and business networks, the number of available IP addresses was being rapidly consumed. Why? It turns out that IP addresses are wasted if you have many small networks (only a few IP addresses). Addresses need to be allocated in groups, and these groups can’t be easily split across multiple networks. If one group has several unused addresses,
they’ll often just sit unallocated.
When the IP address system was created, its designers never thought millions of small networks requiring just a handful addresses would develop. They also didn’t think that cell phones and other portable devices would eventually require individual IP addresses. When the growing demand for cell phones and computer systems throughout the world is taken into account, it’s quite possible that there will be more
than three billion systems requiring IP addresses in the near future. This would create a problem even if none were being wasted!
A long-term solution to the address crisis involves redesigning the address system to allow for more possible addresses. This new addressing scheme is called IPv6 (the current one is IPv4) and is supported by most new network systems. It will be several years before enough of the routers that make up the Internet’s infrastructure are upgraded to support the new standard fully. Until then, most networks will continue
to use IPv4.
Another more immediate addressing solution is network address translation, which allows a single device, such as a router, to act as an agent between the Internet (or any public network) and a local network. This means that only a single, unique, IP address is required to represent an entire group of computers. However, the shortage of IP addresses is only one reason to use NAT.
NAT can be configured to create a one-way trapdoor between an internal network and outside networks such as the Internet. Essentially, a computer on an external network can only connect to an internal computer if the internal computer has initiated the contact. The internal system can browse the Internet and even download files, but somebody else cannot latch onto its IP address and connect without permission.
Many different network hardware devices are capable of performing NAT. Frequently NAT is implemented with a firewall or a router. In certain circumstances, specialized devices may also perform NAT depending on the complexity of the network.
The above information is the start of a chapter in "Network Security Illustrated," published by McGraw-Hill and available from amazon.com, as well as your local bookstore. The book goes into much greater depth on this topic. To learn more about the book and what it covers, click here.
Below, you'll find links to online resources that supplement this portion of the book.