dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
9623

JANDOENT
join:2000-10-05
Tampa, FL

JANDOENT

Member

NAT, The Purpose, Benefits and Problems

NAT can be a very confusing item to many people.
Education is the best security defense, so lets learn a little bit about how NAT came to be and what was it's purpose. RFC 1631 Network Address Translators tells us that NAT was devised as a short term solution to address depletion by address reuse as explained in that article. Interestingly enough, in 1994, NAT's infancy, it was stated that the same characteristics that enhances privacy, potentially makes debugging problems (involving security violations) more difficult to find the host as it hides the IP address of the host.
Although, this makes it difficult to find the host, I can't say that this increases the risks of being violated.
quote:

Privacy, Security, and Debugging Considerations

Unfortunately, NAT reduces the number of options for providing
security. With NAT, nothing that carries an IP address or information
derived from an IP address (such as the TCP-header checksum) can be
encrypted. While most application-level encryption should be ok, this
prevents encryption of the TCP header.

On the other hand, NAT itself can be seen as providing a kind of
privacy mechanism. This comes from the fact that machines on the
backbone cannot monitor which hosts are sending and receiving traffic
(assuming of course that the application data is encrypted).

The same characteristic that enhances privacy potentially makes
debugging problems (including security violations) more difficult. If
a host is abusing the Internet is some way (such as trying to attack
another machine or even sending large amounts of junk mail or
something) it is more difficult to pinpoint the source of the trouble
because the IP address of the host is hidden.
The article is worth a read, anyway...

Webopedias explanation of NAT
NAT
Last modified: February 21, 2000
Short for Network Address Translation, an Internet standard that enables a local-area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. A NAT box located where the LAN meets the Internet makes all necessary IP address translations.

NAT serves two main purposes:

Provides a type of firewall by hiding internal IP addresses
Enables a company to use more internal IP addresses. Since they're used internally only, there's no possibility of conflict with IP addresses used by other companies and organizations.
Allows a company to combine multiple ISDN connections into a single Internet connection

Whatis defines NAT
NAT (Network Address Translation) is the translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a company needs and it lets the company use a single IP address in its communication with the world.
NAT is included as part of a router and is often part of a corporate firewall. Network administrators create a NAT table that does the global-to-local and local-to-global IP address mapping. NAT can also be used in conjunction with policy routing. NAT can be statically defined or it can be set up to dynamically translate from and to a pool of IP addresses. Cisco's version of NAT lets an administrator create tables that map:

A local IP address to one global IP address statically
A local IP address to any of a rotating pool of global IP addresses that a company may have
A local IP address plus a particular TCP port to a global IP address or one in a pool of them
A global IP address to any of a pool of local IP addresses on a round-robin basis
NAT is described in general terms in RFC 1631. which discusses NAT's relationship to Classless Interdomain Routing (Classless Inter-Domain Routing) as a way to reduce the IP address depletion problem. NAT reduces the need for a large amount of publicly known IP addresses by creating a separation between publicly known and privately known IP addresses. CIDR aggregates publicly known IP addresses into blocks so that fewer IP addresses are wasted. In the end, both extend the use of IPv4 IP addresses for a few more years before IPv6 is generally supported.

A more detailed & technical discussion can be found here

A very informative read is found here

This decribes various types and implementations of NAT

Peer to Peer Networking with NAT

Linux & NAT

Vicomsoft has a good explanation.
quote:
NAT automatically provides firewall-style protection without any special set-up. That is because it only allows connections that are originated on the inside network. This means, for example, that an internal client can connect to an outside FTP server, but an outside client will not be able to connect to an internal FTP server because it would have to originate the connection, and NAT will not allow that. It is still possible to make some internal servers available to the outside world via inbound mapping, which maps certain well know TCP ports (e.g.. 21 for FTP) to specific internal addresses, thus making services such as FTP or Web available in a controlled way.
All of the aforementioned sites has links included with them for those that are interested in a more indepth study.

In summary, NAT translates your internal IP and helps prevent connections originating from outside of your puter, in effect providing some characteristics of a firewall, however it is not an actual hardware firewall.
It's primary purpose, as initially explained, was to help with IP address depletions. Of course, as a security enhancement, it is better than nothing...

--
Inquiring minds want to know...
JANDOENT

JANDOENT

Member

No responses from anyone?? *scratches his head and thinks, hmmm that itch could be telling me something*
--
Inquiring minds want to know...

RDionysus
join:2000-10-03
Lindenhurst, NY

RDionysus

Member

All I can say is great post, Jandoent. I'm studying this stuff right now in school, and this was a very educational "online course" on this topic. Good work!

Rocktagon
Slightly Bent
Premium Member
join:2000-11-04
Chattaroy, WA

Rocktagon to JANDOENT

Premium Member

to JANDOENT
Response?????
WOW
Hope I can consume all this before summer
Thanks!
--
Quest for Knowledge

2kmaro
Think

join:2000-07-11
Oklahoma City, OK

2kmaro to JANDOENT

to JANDOENT
I think the thumbs say much more than the responses do - it is always good to have a clear explanation of this kind of thing available for those interested at that level.

NuB1KenOB
join:2000-12-16
Gales Ferry, CT

NuB1KenOB to JANDOENT

Member

to JANDOENT
Excellent!

Zhen-Xjell
Prolific Bunny

join:2000-10-08
Bordentown, NJ

Zhen-Xjell to JANDOENT

to JANDOENT
My compliments.

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay to JANDOENT

MVM

to JANDOENT
You want a comment? I'll give you one. A good friend of mine, a network engineer, tried explaining NAT to me some time ago and had the usual problem with my learning curve. The density was just too thick! I have learned a little more since then, and with your post, I am now in the position of learning a lot more. I gave you a thumbs up, and had I been able to, would have given you all 10. Your posts are always thoughtful, well put together, mostly easy to understand after a while of studying, and you are an invaluable person when it comes to the insight on security issues you are able to share. Thanks.
--
JKK

Age is a very high price to pay for my maturity, so
if I can't stay young, I can at least stay immature!