S 5.70 Network address translation (NAT)

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Network Address Translation (NAT) is a mechanism under which an active network component (usually a router) changes the IP address of a packet when forwarding the packet. The router stores the assignment of the internal address and the internal source port for the external address, destination port and the port which the router itself has chosen for the changed packet in a table, and converts the response packets accordingly.

NAT can be used for a variety of purposes:

• NAT can be used to prevent other people from drawing conclusions about the structure of the local network on the basis of IP addresses, since only the IP address of the NAT gateway is visible from the external network. At the same time, this prevents attackers from being able to attack individual computers in the internal network directly from outside.
• In the local network, often more IP addresses are required than are officially registered. If a NAT gateway is used, then only one official IP address is really needed for each network, and the internal addresses can be chosen freely.
  
  When setting up an internal network, it is imperative that internal addresses are only chosen from the ranges that are provided officially for such purposes (see RFC 1918 - Address Allocation for Private Internets). These ranges are:
  • 10.0.0.0 - 10.255.255.255 (8-bit net mask)
  • 172.16.0.0 - 172.31.255.255 (12-bit net mask)
  • 192.168.0.0 - 192.168.255.255 (16-bit net mask)
  
  These addresses are not routed in the "general Internet" and must therefore be translated into an officially assigned IP address at the gateway to the Internet.
• Sometimes one comes across an internal network which has been set up using any old IP addresses. When connecting such a network subsequently to the Internet, the previously used IP addresses often cannot be used, because the address range in question has been granted to other organisations. To avoid having to reconfigure all computers, it may make sense to translate the internal address to the officially registered external addresses. In this case, however, problems often occur in connection with name resolution and the computers to which the addresses used internally are assigned on the Internet cannot be reached from the internal network.
  
  This can also occur when the Internet provider is changed.
• When two networks for which IP addresses have been chosen from the RFC 1918 ranges (address blocks) are merged, address translation may also be necessary if the same addresses have been used in both networks.

Translation of the internal IP addresses to one or more officially registered IP addresses and vice versa is carried out using an address translation component. Proxies also have implicit address translation functionality, as the proxy only uses its official address externally and forwards the data packets to the relevant internal computers.

Address translation by routers or dedicated packet filters can be either static or dynamic. Static address translation is simple and fast. Every internal address is assigned exactly one external address. For this purpose, of course, exactly one external address is required for each internal address.

Today, it is more common to use dynamic address translation. It is essential especially when the number of internal IP addresses is larger than that of externally visible addresses. An allocation table, in which the internal addresses with their associated port number of a packet are allocated to an external address with a new port number, is maintained in the router or packet filter. Frequently, only one IP address which hides all the internal IP addresses by means of the port number allocation is made visible to the outside.

One consequence of dynamic address translation is that it is normally not possible to establish a connection to an internal computer from the Internet. If, however, this is to be possible, then the security gateway must support "destination NAT" and/or "port forwarding" (see below).

Certain services have to be given special treatment in relation to address translation (e.g. traceroute or ftp).

Access from outside under NAT

When establishing a connection from outside (e.g. in the case of queries to a web server), all packets that are directed to one particular port are translated at the NAT gateway and then forwarded to an appropriate port of the server. This mechanism is also referred to as "destination NAT" or "port forwarding". The NAT gateway deals with the response packets from the server in an analogous fashion.

Review questions:

• Do the internal addresses assigned for the internal network meet the RFC 1918 standard?
• Is the use of NAT adjusted to the security policies of the organisation?
• Does the port forwarding used meet the security requirements of the organisation?