IP Network Address Translation (IP NAT) For Internet Connectivity solution for small network to business network, or even as a basic design of large enterprise.
Designing the Internet connectivity for your organization, you should define how large the size of your network infrastructure is.
- For small such as home network or SOHO, non-routed networks you may be able to use a simple IP NAT solution, this solution will provide a minimum security.
- For larger, medium to large-sized networks will require an ISA server or hardware firewall solution such as Cisco ASA 5500 series. This will allow multiple routed networks to be connected to the internet and provide more advanced security and control of resources access
Some networking manufacturers introduces any types of security appliances such as D-Link DSD-150 for home network, or Check Point Secure@Office series for Medium-sized business.
What is IP NAT?
IP NAT is a primary method to enable computers in the private network with unregistered IP addresses to access the public network – the Internet. IP NAT functions as an intermediary between a client computer on an unregistered network and the Internet. For each packet generated by a client, the IP NAT implementation substitutes a registered address for the client’s unregistered address.
There are three basic types of IP NAT:
1. Static IP NAT,
IP NAT translates a number of unregistered IP addresses to an equal number of registered addresses so that each client always uses the same registered address.
IP NAT- static
This type of NAT does not conserve the IP address space because you need the same number of registered addresses as unregistered addresses. Static NAT is also not as secure as the other NAT types because each computer is permanently associated with a particular registered address, which makes it more possible for Internet intruders to direct traffic to a particular computer on your network using that registered address.
2. Dynamic IP NAT
Dynamic IP NAT is intended for circumstances in which you have fewer registered IP addresses than unregistered computers. Dynamic IP NAT translates each unregistered computer to one of the registered addresses. Intruders on the Internet are less able to associate a registered address with a particular computer (as in static IP NAT) because the registered address assigned to each client changes frequently. The main drawback of dynamic IP NAT is that it can support only the same number of simultaneous users as you have registered IP addresses available. If all the registered addresses are in use, a client attempting to access the Internet receives an error message.
IP NAT - dynamic
3. Masquerading IP NAT
Masquerading IP NAT translates all the unregistered IP addresses on your network using a single registered IP address. To enable multiple clients to access the Internet simultaneously, the NAT router uses port numbers to differentiate between packets generated by and destined to different computers. Masquerading provides the best security of the NAT types because the association between the unregistered client and the registered IP address/port number combination in the NAT router lasts only for the duration of a single connection.
IP NAT - Masquerading
IP NAT Security
Most IP NAT implementations today rely on the masquerading technique because it minimizes the number of registered IP addresses needed and it maximizes the security provided by IP NAT. Note, however, that IP NAT by itself, even using masquerading, is not a true firewall and does not provide ironclad security for high-risk situations. IP NAT effectively blocks unsolicited requests and other probes from the Internet, meaning that it thwarts intruders searching for unprotected file shares and private Web or FTP servers. However, NAT does not prevent users on the Internet from launching directed denial of service attacks against specific computers on the private network or from using other, more complex tactics to compromise your network.
Some IP NAT implementations include additional security capabilities, typically a technique called stateful packet inspection. Stateful packet inspection is a generic term for a process in which the IP NAT router examines the incoming packets from the Internet more carefully than usual. In a typical IP NAT implementation, the router is concerned only with the IP addresses and port numbers of the packets passing through it. An IP NAT router that supports stateful packet inspection examines other network and transport layer header fields as well, looking for patterns in various damaging behaviors, such as IP spoofing, SYN floods, and teardrop attacks. Various manufacturers implement stateful packet inspection in different ways, so not all IP NAT routers with this capability offer the same degree of protection.
IP NAT Solution
As previously discussed, the network infrastructure design decision should consider the following:
- What is the size of the private network?
- What are the security requirements for the organizations?
IP NAT is an appropriate solution if:
- Internet access and access to the network is not restricted on a user-by-user basis
- The private network consist of users in a non-routed environment
- The organization requires private addressing for the computers on the private network
An IP NAT server requires at least two network interfaces.
- Each interface requires an IP address. IP address range assigned must be within the range of addressed assigned to the network segment it is connected to.
- Subnet mask must be the same as the subnet mask assigned to the network segment it is connected to.
An IP NAT Server can be placed on the network to perform certain tasks.
- Isolate the network traffic to the source, destination, and intermediate network segments.
- Create a screened subnet within the private network, protecting confidential data
- Exchange network packets between dissimilar network segment types
In today wireless routers, almost all the manufacturers claim that their wireless products have the firewall capabilities of IP NAT and SPI (stateful packet inspection) such as Linksys wireless routers; D-Link wireless routers; Netgears wireless routers; Belkin wireless routers and others.
