Network Address Translation (NAT)
Network Address
Translation (NAT) is the
process where a network device, usually a firewall, assigns a public address to
a computer (or group of computers) inside a private network. The main use of
NAT is to limit the number of public IP addresses an organization or company
must use, for both economy and security purposes.
The most common form of network translation
involves a large private network using addresses in a private range (10.0.0.0
to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to
192.168.255.255). The private addressing scheme works well for computers that
only have to access resources inside the network, like workstations needing
access to file servers and printers. Routers inside the private network can
route traffic between private addresses with no trouble. However, to access
resources outside the network, like the Internet, these computers have to have
a public address in order for responses to their requests to return to them.
This is where NAT comes into play.
Internet requests that require Network Address
Translation (NAT) are quite complex but happen so rapidly that the end user
rarely knows it has occurred. A workstation inside a network makes a request to
a computer on the Internet. Routers within the network recognize that the
request is not for a resource inside the network, so they send the request to
the firewall. The firewall sees the request from the computer with the internal
IP. It then makes the same request to the Internet using its own public
address, and returns the response from the Internet resource to the computer
inside the private network. From the perspective of the resource on the
Internet, it is sending information to the address of the firewall. From the
perspective of the workstation, it appears that communication is directly with
the site on the Internet. When NAT is used in this way, all users inside the
private network access the Internet have the same public IP address when they
use the Internet. That means only one public addresses is needed for hundreds
or even thousands of users.
Most modern firewalls are stateful - that is,
they are able to set up the connection between the internal workstation and the
Internet resource. They can keep track of the details of the connection, like
ports, packet order, and the IP addresses involved. This is called keeping
track of the state of the connection. In this way, they are able to keep track
of the session composed of communication between the workstation and the
firewall, and the firewall with the Internet. When the session ends, the
firewall discards all of the information about the connection.
There are other uses for Network Address
Translation (NAT) beyond simply allowing workstations with internal IP addresses
to access the Internet. In large networks, some servers may act as Web servers
and require access from the Internet. These servers are assigned public IP
addresses on the firewall, allowing the public to access the servers only
through that IP address. However, as an additional layer of security, the
firewall acts as the intermediary between the outside world and the protected
internal network. Additional rules can be added, including which ports can be
accessed at that IP address. Using NAT in this way allows network engineers to
more efficiently route internal network traffic to the same resources, and
allow access to more ports, while restricting access at the firewall. It also
allows detailed logging of communications between the network and the outside
world.
Additionally, NAT can be used to allow
selective access to the outside of the network, too. Workstations or other
computers requiring special access outside the network can be assigned specific
external IPs using NAT, allowing them to communicate with computers and
applications that require a unique public IP address. Again, the firewall acts
as the intermediary, and can control the session in both directions,
restricting port access and protocols.
NAT is a very important aspect of firewall
security. It conserves the number of public addresses used within an
organization, and it allows for stricter control of access to resources on both
sides of the firewall.