Network Security 103: Network Address Translation

Private and Public Addressing

Before we dive into NAT we must first discuss the difference between public and private IP addressing.  Public IP addresses include the range 0.0.0.0 – 255.255.255.255, or over 4 billion unique addresses; this is of course with a few exceptions that we will not go into detail here.

Private IP networks are a special allocation of network addresses.  They are typically used in networks where the total number of devices in a network exceed the amount of Public IP addresses that are available to the user.  These ranges include the following networks:

• 10.0.0.0/8 (IP Range 10.0.0.0 – 10.255.255.255, or 16,777,216 unique addresses)
• 172.16.0.0/12 (IP Range 172.16.0.0 – 172.31.255.255, or 1,048,576 unique addresses)
• 192.168.0.0/16 (IP Range 192.168.0.0 – 192.168.255.255, or 65,536 unique addresses)

Typically these private ranges are not routable across the public Internet, which is why you will only see them occur behind devices that support NAT.

Types of NAT

For the sake of simplicity this article will discuss two major types of NAT:

1. NAT-Source
2. NAT-Destination

Each type of NAT has their own niche in the way we can manipulate traffic.

NAT-Source

NAT-Source allows us to take many devices and their connections and have it appear as one single address to the rest of the network.  For example in the diagram below we have on the left side the private 192.168.1.0/24 network which comprises of workstations, laptops, and Desktop PC.  Suppose the Desktop PC at 192.168.1.5 wants to access www.company.com at the address of 2.2.2.3; in order to do that it must first traverse the firewall which in a majority of cases is the default gateway of  the network.  From there the firewall creates a new session in the session table (as described in Network Security 102); in addition it also performs Source-NAT in order to make the source of the traffic appear that it came from the firewall, not the desktop PC.  This allows for the traffic to be routable across the Internet.  From there the firewall routes the traffic through the Internet until it reaches the firewall responsible for the 2.2.2.0/24 network.

NAT-Destination

NAT-Destination does the opposite of NAT Source by allowing many devices to access a single device.  Port forwarding is a subset of NAT-Destination as it forwards certain ports to a particular private address.  In following diagram we will take the request from the previous example and perform NAT-Destination.  When incoming traffic hits the 2.2.2.2 firewall requesting 2.2.2.3 the firewall will preserve the source address, but then change the internal address from 2.2.2.3 to its internal address of 192.168.2.3 and pass it through to the www.company.com web server.

Finishing it all up

Now that the request has reached the server, it processes the request and sends back a response to its the default gateway (in this case, the firewall on the right).  That firewall completes its session by routing the response back tho the firewall on the left side.  The firewall on the left matches the response to the session it created, and sends it to the Desktop PC.  The PC loads the page, and the firewall removes the session from its session table.

Additional Thoughts

One very important thing to note here is that NAT alone is NOT a firewall.  As we showed you in previous articles we perform on a firewall platform without using NAT at all.  In some cases (highly unlikely, but possible) a misconfiguration of the firewall alone is enough to leave your system vulnerable for an attack, regardless if you are using NAT or not.  So always be mindful of this when choosing your next networking security solution.  The ability to control who has access to what on your network from both the perimeter and the individual host is paramount to keeping a network running smoothly.

-Clay Haynes (a.k.a dark_15 on the forums)