[Add to favorites] Use Network Address Translation to enhance network security

Author: techrepublic.com.com

Mike Mullins explains why you should change the network address of the network deployment. The following are some considerations.

If the network you manage has enough IP addresses to cover hosts and servers, you may not need to configure network address translation (NAT ). Nat allows a single device to act as a proxy between the private network and the Internet. Thus, a single IP address can be used to represent multiple computers.

However, Nat is not just used to make up for IP address insufficiency. It can also be used to enhance network security and facilitate management. If you have not deployed Nat, it may be time to reconsider this decision.

Before deciding to deploy Nat, it is very important to understand how Nat works. You also need to be familiar with the different types of NAT that you may need to configure.

Nat vs Proxy Server
Sometimes people confuse nat with proxy servers. However, there is a huge difference between the two. Nat is transparent to both the source and target computers. The proxy server is not transparent. You must configure on the source computer so that it can be connected to the proxy server.

In addition, the target computer needs to send a network request to the proxy server, which forwards the communication connection to the computer that initiates the request. Proxy Servers usually work at a higher level in the transport layer or OSI reference model, while Nat is a layer-3 protocol.

Now you have understood the differences between NAT and proxy servers. Now let's take a look at four types of Nat.

Static
Just like a ing to the inside of the network, static Nat maps unregistered/unroutable internal network IP addresses to registered/routable IP addresses. This is a one-to-one policy. This is required when network devices in the internal network need to access from the outside.

For example, your email server has a 10.0.1.5 IP address (this address cannot be routed over the Internet ). Your NAT device will convert it to 202.0.1.5 (A routable IP address ).

Dynamic
Dynamic Nat can map a registered IP address to a registered IP address. The difference is that the registered IP address is extracted from a registered IP address pool. Dynamic Nat also provides a one-to-one ing policy. However, this ing address changes with the IP address pool already registered during each connection.

For example, an internal network client has an IP address 10.0.1.150. This address tries to connect to the external network, and your NAT device will convert it to the first available address range from 202.0.1.50 to 202.0.1.100.

Overload
Like port address translation (PAT), single address Nat, or port-level multiplexing Nat, overload is also a dynamic Nat. In this way, multiple unregistered IP addresses are mapped to one registered IP address. When a network request is transmitted, the NAT device uses the source port instead.

For example, your NAT device converts all internal network devices to a single IP address that can be routed, but it will forward data to each source session before sending data to the respective destination IP address) specify a different port.

Overlap
Overlapping Nat is used when an internal IP address can be routed but needs to be used on another network ). A nat device can convert these addresses to a single routing address before forwarding communication.

Enterprises can use this type of Nat when the internal client is located in a different physical location in the network but the same routing address is required. Generally, you need to use dynamic DNS to use overlapping Nat.

For example, your NAT device maps an IP address of 202.0.1.50 (which can be routed and used by different users in different physical locations) to an IP address in the range of 202.0.2.50 to 202.0.2.100.

Issues to be considered
Do not worry that configuring Nat in the network will reduce network performance. An address translation table only occupies about 160 bytes in the vro, while a vrodram with only 2 mb dram can process 13,107 address translation entries simultaneously.

This is sufficient for small networks. In addition, it should be noted that adding memory for the router may help solve the problem if you encounter any problems during implementation.

When deploying Nat, most enterprises prefer dynamic Nat. This allows you to create a layer-3 firewall between the internal network and the Internet.

In this way, computers on the Internet cannot connect to clients in the internal network, unless clients in the internal network actively initiate communications. Preventing dangerous networks from initiating connections to internal network clients is a good choice to ensure network security.