70 likes | 89 Views
This chapter discusses how Network Address Translation (NAT) is useful for hiding internal private IP addresses and conserving routable IP addresses on the Internet. It also covers the advantages and drawbacks of using NAT and explains why it is not sufficient for network security.
E N D
– Chapter 6 – NAT and Security • Network Address Translation (NAT) is useful to: • Hide internal private IP addresses • Conserve routable IP addresses on the Internet • RFC1918Address Allocation for Private Internets. Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, E. Lear. February 1996. Network Security
Reserved IP addresses for private networks • Reserved IP addresses for private networks in RFC 1918 addressing scheme: • The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) Network Security
An example of NAT- the DCSL network • Network diagram for the UHCL Distributed Computer Security Lab (D140, D158) • http://www.dcsl-uhcl.net/public/DCSL%20diagram.html Network Security
PAT (Port Address Translation) • The PATing router translates the source and the destination addresses depending on the port number used. See Figure 6-1 (p.130). Network Security
Advantages of using NAT • The obvious advantage of using private address space for the Internet at large is to conserve the globally unique address space by not using it where global uniqueness is not required. • Enterprises gain a lot of flexibility in network design by having more address space at their disposal than they could obtain from the globally unique pool. This enables operationally and administratively convenient addressing schemes as well as easier growth paths. • Hiding of the private addresses from the public. An outsider only knows the globally addressable IP and a port#. • Security: Incoming packets without proper port# are discarded. Network Security
Drawbacks of using NAT • Renumbering of IP addresses may be needed in some cases: • Once one commits to using a private address, one is committing to renumber part or all of an enterprise, should one decide to provide IP connectivity between that part (or all of the enterprise) and the Internet. • Another drawback to the use of private address space is that it may require renumbering when merging several private internets into a single private internet. Network Security
Is NAT sufficient for network security? • No. It’s mainly a convenience measure. • It cannot replace the functionalities of a firewall: NAT does not track packet sequence numbers, TCP handshake, and UDP progress-based timers, etc. • It cannot replace a intrusion detection system (IDS): NAT does not concern itself with protecting the hosts from malicious data being sent on the NAT connections. • It cannot replace an access control mechanism. Network Security