IP Network Address Translation (IP NAT) And Stateful Packet Inspection (SPI)
Designing the Internet connectivity for your organization, you should define how large the size of your network infrastructure.
- For small, non-routed networks you may be able to use a simple IP NAT solution, this solution will provide a minimum security.
- For larger, more complex networks you will require an ISA server or hardware firewall solution. This will allow multiple routed networks to be connected to the internet and provide more advanced security and control of resources access
What is IP NAT?
IP NAT is a primary method enabling computers with unregistered IP addresses to access the Internet. IP NAT functions as an intermediary between a client computer on an unregistered network and the Internet. For each packet generated by a client, the NAT implementation substitutes a registered address for the client’s unregistered address.
There are three basic types of IP NAT:
1. Static IP NAT,
IP NAT translates a number of unregistered IP addresses to an equal number of registered addresses so that each client always uses the same registered address.
This type of NAT does not conserve the IP address space because you need the same number of registered addresses as unregistered addresses. Static NAT is also not as secure as the other NAT types because each computer is permanently associated with a particular registered address, which makes it more possible for Internet intruders to direct traffic to a particular computer on your network using that registered address.
2. Dynamic IP NAT
Dynamic IP NAT is intended for circumstances in which you have fewer registered IP addresses than unregistered computers. Dynamic IP NAT translates each unregistered computer to one of the registered addresses. Intruders on the Internet are less able to associate a registered address with a particular computer (as in static IP NAT) because the registered address assigned to each client changes frequently. The main drawback of dynamic IP NAT is that it can support only the same number of simultaneous users as you have registered IP addresses available. If all the registered addresses are in use, a client attempting to access the Internet receives an error message.
3. Masquerading IP NAT
Masquerading IP NAT translates all the unregistered IP addresses on your network using a single registered IP address. To enable multiple clients to access the Internet simultaneously, the NAT router uses port numbers to differentiate between packets generated by and destined to different computers. Masquerading provides the best security of the NAT types because the association between the unregistered client and the registered IP address/port number combination in the NAT router lasts only for the duration of a single connection.
IP NAT Security
Most IP NAT implementations today rely on the masquerading technique because it minimizes the number of registered IP addresses needed and it maximizes the security provided by IP NAT. Note, however, that IP NAT by itself, even using masquerading, is not a true firewall and does not provide ironclad security for high-risk situations. IP NAT effectively blocks unsolicited requests and other probes from the Internet, meaning that it thwarts intruders searching for unprotected file shares and private Web or FTP servers. However, NAT does not prevent users on the Internet from launching directed denial of service attacks against specific computers on the private network or from using other, more complex tactics to compromise your network.
IP NAT and Stateful Packet Inspection
Some IP NAT implementations include additional security capabilities, typically a technique called stateful packet inspection. Stateful packet inspection is a generic term for a process in which the IP NAT router examines the incoming packets from the Internet more carefully than usual. In a typical IP NAT implementation, the router is concerned only with the IP addresses and port numbers of the packets passing through it. An IP NAT router that supports stateful packet inspection examines other network and transport layer header fields as well, looking for patterns in various damaging behaviors, such as IP spoofing, SYN floods, and teardrop attacks. Various manufacturers implement stateful packet inspection in different ways, so not all IP NAT routers with this capability offer the same degree of protection.
IP NAT Solution
As previously discussed, the network infrastructure design decision should consider the following:
- What is the size of the private network?
- What are the security requirements for the organizations?
IP NAT is an appropriate solution if:
- Internet access and access to the network is not restricted on a user-by-user basis
- The private network consist of users in a non-routed environment
- The organization requires private addressing for the computers on the private network
An IP NAT server requires at least two network interfaces.
- Each interface requires an IP address. IP address range assigned must be within the range of addressed assigned to the network segment it is connected to.
- Subnet mask must be the same as the subnet mask assigned to the network segment it is connected to.
An IP NAT Server can be placed on the network to perform certain tasks.
- Isolate the network traffic to the source, destination, and intermediate network segments.
- Create a screened subnet within the private network, protecting confidential data
- Exchange network packets between dissimilar network segment types
In mostly wireless routers, they support these NAT and SPI features that will protect (at least to reduce) from any types of security threats for your network. In today wireless routers, almost all the manufacturers claim that their wireless products have the firewall capabilities of IP NAT and SPI (stateful packet inspection) such as Linksys wireless routers; D-Link wireless routers; Netgears wireless routers; Belkin wireless routers and others.