Skip to main content

What is Network Address Translation?

Network Address Translation

Network Address Translation (NAT) is the process where a network device, usually a firewall, assigns a public address to a computer (or group of computers) inside a private network. The main use of NAT is to limit the number of public IP addresses an organization or company must use, for both economy and security purposes.

The most common form of network translation involves a large private network using addresses in a private range (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to 192.168.255.255). The private addressing scheme works well for computers that only have to access resources inside the network, like workstations needing access to file servers and printers. Routers inside the private network can route traffic between private addresses with no trouble. However, to access resources outside the network, like the Internet, these computers have to have a public address in order for responses to their requests to return to them. This is where NAT comes into play.

Internet requests that require Network Address Translation (NAT) are quite complex but happen so rapidly that the end user rarely knows it has occurred. A workstation inside a network makes a request to a computer on the Internet. Routers within the network recognize that the request is not for a resource inside the network, so they send the request to the firewall. The firewall sees the request from the computer with the internal IP. It then makes the same request to the Internet using its own public address, and returns the response from the Internet resource to the computer inside the private network. From the perspective of the resource on the Internet, it is sending information to the address of the firewall. From the perspective of the workstation, it appears that communication is directly with the site on the Internet. When NAT is used in this way, all users inside the private network access the Internet have the same public IP address when they use the Internet. That means only one public addresses is needed for hundreds or even thousands of users.

Most modern firewalls are stateful - that is, they are able to set up the connection between the internal workstation and the Internet resource. They can keep track of the details of the connection, like ports, packet order, and the IP addresses involved. This is called keeping track of the state of the connection. In this way, they are able to keep track of the session composed of communication between the workstation and the firewall, and the firewall with the Internet. When the session ends, the firewall discards all of the information about the connection.

There are other uses for Network Address Translation (NAT) beyond simply allowing workstations with internal IP addresses to access the Internet. In large networks, some servers may act as Web servers and require access from the Internet. These servers are assigned public IP addresses on the firewall, allowing the public to access the servers only through that IP address. However, as an additional layer of security, the firewall acts as the intermediary between the outside world and the protected internal network. Additional rules can be added, including which ports can be accessed at that IP address. Using NAT in this way allows network engineers to more efficiently route internal network traffic to the same resources, and allow access to more ports, while restricting access at the firewall. It also allows detailed logging of communications between the network and the outside world.

Additionally, NAT can be used to allow selective access to the outside of the network, too. Workstations or other computers requiring special access outside the network can be assigned specific external IPs using NAT, allowing them to communicate with computers and applications that require a unique public IP address. Again, the firewall acts as the intermediary, and can control the session in both directions, restricting port access and protocols.

NAT is a very important aspect of firewall security. It conserves the number of public addresses used within an organization, and it allows for stricter control of access to resources on both sides of the firewall.

source :
http://whatismyipaddress.com/nat
Labels:

Comments

Post a Comment

Popular posts from this blog

about gigabyte NIC onboard not detected on enterprise linux distribution

on several gigabyte motherboard, onboard network interface card  will not be detected on enterprise linux distribution (e.g. scientific linux, oracle linux server, etc). alternatively you must supply add-on card. or if you insist to use the onboard card, you must install the unofficial nic driver. this is tutorial how to install driver for onboard network interface card GIGABYTE first of all prepare your system. make sure it has package group "Development Tools" installed. if it has not, install it # yum groupinstall “Development Tools” download the source code : https://www.dropbox.com/s/na91bu4az4p9827/AR81Family-linux-v1.0.1.14.tar.gz extract the source code : # tar zxvf AR81Family-linux1.0.1.14.tar.gz the extraction process will make the new directory "AR81Family*", change to the directory # cd AR81Family* compile the source by type on terminal : # make then, # make install wait until the compiling process finish. next make the new scrip...
2 comments
Read more

about getsebool and setsebool

The setsebool is used to set SELinux boolean value i.e. various configurations can be enabled or disabled using this tool. In other words, the setsebool command switches on and off the protection of SELinux. Type getsebool -a to see all such options which can be enabled or disabled at run time: e.g. # getsebool -a The following should give you a complete listing of all the vsftpd switches: e.g.  # getsebool -a | grep ftp  For example, if httpd_disable_trans set to 1, it will disable SELinux protection for  Apache web server. To disable it, enter:  # setsebool -P httpd_can_network_connect=1 To enable it, enter:    # setsebool -P httpd_can_network_connect=0
3 comments
Read more

All certification

Post a Comment
Read more