Internet Security

Skip to Main Content »

Have a Question? Call Us!
Toll Free: 877.449.5102

Welcome to NTSecurity.com

You're currently on:

Selecting Best NAT Configuration for an Organization

31/10/2012 Network Address Translation (NAT) is a process handled by a device, typically a router, in which unregistered (private) IP addresses in a local area network are mapped with registered (pubic) IP addresses that an organization may have. Since NAT is widely used in almost all SOHO networks and small, medium and large scale industries, addressing scheme must be chosen wisely before implementing any type of NAT configuration.

Network Address Translation (NAT)

Network Address Translation (NAT) is a process handled by a device, typically a router, in which unregistered (private) IP addresses in a local area network are mapped with registered (pubic) IP addresses that an organization may have.  The two main reasons why organizations with sensitive data and multiple computers choose NAT are:

  • Security – When NAT is implemented in an organization, since the unregistered IP addresses are mapped with the registered IP addresses and the source and destination IP addresses are translated from internal addresses to the external ones and vice versa, the internal IP addresses remain hidden from the users (mostly hackers) in the external network (Internet). This makes it difficult for them to intrude into a private network as NAT provides an additional layer of security to the internal trusted local area network.
  • Fewer Registered Addresses – Because internal addresses are mapped to external addresses, administrators can configure NAT routers in such a way that they can receive packets from multiple unregistered IP address in an internal network and translate them to one registered IP address (NAT overloading).

Although Network Address Translation can be configured in multiple ways depending on the needs of the organizations, four most commonly used NAT configurations are:

Static NAT

In static NAT, only one unregistered IP address from the internal network is mapped with one registered IP address of the external network. This makes a host in internal trusted network directly accessible from the external network, while hiding the private IP address of the host from the external network at the same time. In static NAT configuration, one registered IP address is needed for each internal host.

    Implementations:

    • DMZ – Static NAT is mostly configured to enable communication between the hosts that reside in the DMZ of any organization. Since computers in a DMZ and an internal trusted network of an organization may have different IP address ranges, configuring static NAT to make DMZ computers accessible through the external network keeps the addresses of internal trusted network behind the two security layers, hence providing enhanced security to the internal local area network.
    • Web Servers – Static NAT is also configured allow external users access a web server that may reside either in an internal trusted network or in the DMZ of an organization. Since NAT hides internal IP addresses from the external network, users who access the website communicate with the web server using registered IP address only.

Dynamic NAT

Dynamic NAT works much as static NAT with the only difference that in dynamic NAT, multiple unregistered IP addresses in an internal network are mapped with the entire pool of external IP addresses. When dynamic NAT is configured, and a computer from internal network tries to communicate with the external network, any available registered IP address from the address pool is dynamically mapped with the IP address of the requesting internal host. An available IP address is the one that is not already mapped with other host and busy performing network address translation for that computer. In dynamic NAT, unregistered addresses are mapped with the registered ones only when a communication is initiated by the hosts or from the external network. Moreover, the registered addresses are mapped only for a specific period of time. Once the time is lapsed, the registered addresses are automatically unmapped and become available for other unregistered addresses.

    Implementations:

    • Allowing Access to Multiple External Clients – An example organization where dynamic NAT can be implemented can be the one that has several external clients to which the administrators may want to give access to the internal hosts, but want to hide internal IP addresses from them at the same time. In such cases, it would be impractical to map each registered IP address to the every unregistered address. To avoid additional administrative overhead, administrators configure dynamic NAT to dynamically map registered IP addressed with the unregistered ones for a short period, when communication is initiated.

NAT Overloading

NAT overloading is the most commonly used NAT configuration in the SOHO networks, small scale industries, and sometimes even in medium and large scale organizations. In NAT overloading, multiple unregistered IP addresses from the internal trusted network are mapped with a single registered IP address. This eliminates the requirement of buying multiple registered addresses from the ISP. Since NAT router in NAT overloading has an interface connected to the private network and is responsible for accepting all incoming requests, it differentiates each internal IP address on the basis of its port number. While forwarding requests to the registered IP address on behalf of any unregistered address, NAT router adds the corresponding port number to the destination address. When the registered IP address responds back with the resolved query, it adds the port number to the destination address as well. The NAT router then identifies the requesting internal host on the basis of the port number, and forwards the resolved query to it. This process is known as Port Address Translation (PAT).

The only drawback with NAT overloading configuration is that since only one registered IP address (that connects to the Internet) is used by multiple hosts in the internal network, the network bandwidth is divided, hence giving reduced speed while accessing and communicating with the external network.

    Implementations:

    • Almost All Networks – As mentioned earlier, NAT overloading is used in almost all kinds of networks. It is mostly used in Small Office/Home Office (SOHO) networks where limited numbers of computers are required to connect to the Internet. Since such offices do not require multiple registered addresses, one Internet connection line with either public or static registered IP address can be used.

NAT Overlapping

Unlike all above discussed NAT configurations, where addresses from private IP ranges were required to communicate with public addresses and vice versa, NAT overlapping is configured to enable address translation between registered IP addresses. Although basic concept of NAT overlapping is almost identical to the ones discussed above, it is only the scenarios that differ, and implementing NAT overlapping becomes mandatory.

    Implementations:

    • Inappropriate Address Assignment – If an administrator has assigned IP addresses from public range to several internal hosts, and then realized that multiple registered IP addresses were needed to have Internet connection in the organization, NAT overlapping can be configured to eliminate the need of re-assigning the addresses to all the host computers in the network.
    • Already in Use – If a range of registered IP address is already used by an organization, and another organization is assigned with the same range of addresses (on demand of the client), any one of the two organizations must configure NAT overlapping to avoid IP conflicts.

Since NAT is widely used in almost all SOHO networks and small, medium and large scale industries, addressing scheme must be chosen wisely before implementing any type of NAT configuration.

 4.70 out of 5 based on 26 reviews

Selecting Best NAT Configuration for an Organization

31/10/2012

Network Address Translation (NAT)

Network Address Translation (NAT) is a process handled by a device, typically a router, in which unregistered (private) IP addresses in a local area network are mapped with registered (pubic) IP addresses that an organization may have.  The two main reasons why organizations with sensitive data and multiple computers choose NAT are:

  • Security – When NAT is implemented in an organization, since the unregistered IP addresses are mapped with the registered IP addresses and the source and destination IP addresses are translated from internal addresses to the external ones and vice versa, the internal IP addresses remain hidden from the users (mostly hackers) in the external network (Internet). This makes it difficult for them to intrude into a private network as NAT provides an additional layer of security to the internal trusted local area network.
  • Fewer Registered Addresses – Because internal addresses are mapped to external addresses, administrators can configure NAT routers in such a way that they can receive packets from multiple unregistered IP address in an internal network and translate them to one registered IP address (NAT overloading).

Although Network Address Translation can be configured in multiple ways depending on the needs of the organizations, four most commonly used NAT configurations are:

Static NAT

In static NAT, only one unregistered IP address from the internal network is mapped with one registered IP address of the external network. This makes a host in internal trusted network directly accessible from the external network, while hiding the private IP address of the host from the external network at the same time. In static NAT configuration, one registered IP address is needed for each internal host.

    Implementations:

    • DMZ – Static NAT is mostly configured to enable communication between the hosts that reside in the DMZ of any organization. Since computers in a DMZ and an internal trusted network of an organization may have different IP address ranges, configuring static NAT to make DMZ computers accessible through the external network keeps the addresses of internal trusted network behind the two security layers, hence providing enhanced security to the internal local area network.
    • Web Servers – Static NAT is also configured allow external users access a web server that may reside either in an internal trusted network or in the DMZ of an organization. Since NAT hides internal IP addresses from the external network, users who access the website communicate with the web server using registered IP address only.

Dynamic NAT

Dynamic NAT works much as static NAT with the only difference that in dynamic NAT, multiple unregistered IP addresses in an internal network are mapped with the entire pool of external IP addresses. When dynamic NAT is configured, and a computer from internal network tries to communicate with the external network, any available registered IP address from the address pool is dynamically mapped with the IP address of the requesting internal host. An available IP address is the one that is not already mapped with other host and busy performing network address translation for that computer. In dynamic NAT, unregistered addresses are mapped with the registered ones only when a communication is initiated by the hosts or from the external network. Moreover, the registered addresses are mapped only for a specific period of time. Once the time is lapsed, the registered addresses are automatically unmapped and become available for other unregistered addresses.

    Implementations:

    • Allowing Access to Multiple External Clients – An example organization where dynamic NAT can be implemented can be the one that has several external clients to which the administrators may want to give access to the internal hosts, but want to hide internal IP addresses from them at the same time. In such cases, it would be impractical to map each registered IP address to the every unregistered address. To avoid additional administrative overhead, administrators configure dynamic NAT to dynamically map registered IP addressed with the unregistered ones for a short period, when communication is initiated.

NAT Overloading

NAT overloading is the most commonly used NAT configuration in the SOHO networks, small scale industries, and sometimes even in medium and large scale organizations. In NAT overloading, multiple unregistered IP addresses from the internal trusted network are mapped with a single registered IP address. This eliminates the requirement of buying multiple registered addresses from the ISP. Since NAT router in NAT overloading has an interface connected to the private network and is responsible for accepting all incoming requests, it differentiates each internal IP address on the basis of its port number. While forwarding requests to the registered IP address on behalf of any unregistered address, NAT router adds the corresponding port number to the destination address. When the registered IP address responds back with the resolved query, it adds the port number to the destination address as well. The NAT router then identifies the requesting internal host on the basis of the port number, and forwards the resolved query to it. This process is known as Port Address Translation (PAT).

The only drawback with NAT overloading configuration is that since only one registered IP address (that connects to the Internet) is used by multiple hosts in the internal network, the network bandwidth is divided, hence giving reduced speed while accessing and communicating with the external network.

    Implementations:

    • Almost All Networks – As mentioned earlier, NAT overloading is used in almost all kinds of networks. It is mostly used in Small Office/Home Office (SOHO) networks where limited numbers of computers are required to connect to the Internet. Since such offices do not require multiple registered addresses, one Internet connection line with either public or static registered IP address can be used.

NAT Overlapping

Unlike all above discussed NAT configurations, where addresses from private IP ranges were required to communicate with public addresses and vice versa, NAT overlapping is configured to enable address translation between registered IP addresses. Although basic concept of NAT overlapping is almost identical to the ones discussed above, it is only the scenarios that differ, and implementing NAT overlapping becomes mandatory.

    Implementations:

    • Inappropriate Address Assignment – If an administrator has assigned IP addresses from public range to several internal hosts, and then realized that multiple registered IP addresses were needed to have Internet connection in the organization, NAT overlapping can be configured to eliminate the need of re-assigning the addresses to all the host computers in the network.
    • Already in Use – If a range of registered IP address is already used by an organization, and another organization is assigned with the same range of addresses (on demand of the client), any one of the two organizations must configure NAT overlapping to avoid IP conflicts.

Since NAT is widely used in almost all SOHO networks and small, medium and large scale industries, addressing scheme must be chosen wisely before implementing any type of NAT configuration.

Rating :
4.70 out of 5