Scribd
Upload
42 views10 pages

Network Address Translation (NAT) : CS-480b Dick Steflik

Uploaded by

Sanwal Saleem
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
42 views10 pages

Network Address Translation (NAT) : CS-480b Dick Steflik

Uploaded by

Sanwal Saleem
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 10

Network Address Translation (NAT)

CS-480b
Dick Steflik
Network Address Translation
• RFC-1631
• A short term solution to the problem of the
depletion of IP addresses
• Long term solution is IP v6 (or whatever is finally
agreed on)
• CIDR (Classless InterDomain Routing ) is a possible
short term solution
• NAT is another
• NAT is a way to conserve IP addresses
• Hide a number of hosts behind a single IP address
• Use:
• 10.0.0.0-10.255.255.255,
• 172.16.0.0-172.32.255.255 or
• 192.168.0.0-192.168.255.255 for local networks
Translation Modes
• Dynamic Translation (IP Masquerading)
• large number of internal users share a single external address
• Static Translation
• a block external addresses are translated to a same size block of
internal addresses
• Load Balancing Translation
• a single incoming IP address is distributed across a number of
internal servers
• Network Redundancy Translation
• multiple internet connections are attached to a NAT Firewall that it
chooses and uses based on bandwidth, congestion and availability.
Dynamic Translation (IP Masquerading )
• Also called Network Address and Port Translation (NAPT)
• Individual hosts inside the Firewall are identified based on of each
connection flowing through the firewall.
• Since a connection doesn’t exist until an internal host requests a
connection through the firewall to an external host, and most Firewalls
only open ports only for the addressed host only that host can route back
into the internal network
• IP Source routing could route back in; but, most Firewalls block
incoming source routed packets
• NAT only prevents external hosts from making connections to internal
hosts.
• Some protocols won’t work; protocols that rely on separate
connections back into the local network
• Theoretical max of 216 connections, actual is much less
Static Translation
• Map a range of external address to the same size block of internal
addresses
• Firewall just does a simple translation of each address
• Port forwarding - map a specific port to come through the Firewall
rather than all ports; useful to expose a specific service on the internal
network to the public network
Load Balancing
• A firewall that will dynamically map a request to a pool of identical
clone machines
• often done for really busy web sites
• each clone must have a way to notify the Firewall of its current load so
the Fire wall can choose a target machine
• or the firewall just uses a dispatching algorithm like round robin
• Only works for stateless protocols (like HTTP)
Network Redundancy
• Can be used to provide automatic fail-over of servers or load
balancing
• Firewall is connected to multiple ISP with a masquerade for each ISP
and chooses which ISP to use based on client load
• kind of like reverse load balancing
• a dead ISP will be treated as a fully loaded one and the client will be
routed through another ISP
Problems with NAT
• Can’t be used with:
• protocols that require a separate back-channel
• protocols that encrypt TCP headers
• embed TCP address info
• specifically use original IP for some security
reason
Services that NAT has problems with
• H.323, CUSeeMe, VDO Live – video teleconferencing applications
• Xing – Requires a back channel
• Rshell – used to execute command on remote Unix machine – back channel
• IRC – Internet Relay Chat – requires a back channel
• PPTP – Point-to-Point Tunneling Protocol
• SQLNet2 – Oracle Database Networking Services
• FTP – Must be RFC-1631 compliant to work
• ICMP – sometimes embeds the packed address info in the ICMP message
• IPSec – used for many VPNs
• IKE – Internet Key Exchange Protocol
• ESP – IP Encapsulating Security Payload
Hacking through NAT
• Static Translation
• offers no protection of internal hosts
• Internal Host Seduction
• internals go to the hacker
• e-mail attachments – Trojan Horse virus’
• peer-to-peer connections
• hacker run porn and gambling sites
• solution = application level proxies
• State Table Timeout Problem
• hacker could hijack a stale connection before it is timed out
• very low probability but smart hacker could do it
• Source Routing through NAT
• if the hacker knows an internal address they can source route a packet to
that host
• solution is to not allow source routed packets through the firewall

You might also like