Strengthen security by implementing Network Address Translation

Worried about security issues? Who isn’t? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

If you administer a network that has enough
IP addresses to cover your hosts and servers, you probably haven’t
needed to implement Network Address Translation (NAT). NAT allows a
single device to act as a proxy between your private network and
the Internet, allowing a single routable IP address to represent a
large group of computers.

But NAT isn’t just for covering a short IP
space; it also increases security and eases administration. If you
haven’t implemented NAT, it may be time to rethink your choice.

Before deciding to implement NAT, it’s
important to understand how NAT works and to be familiar with the
different types of NAT that you can implement.

NAT vs. proxy servers

People sometimes confuse NAT with the term proxy server. However,
there’s a big difference. NAT is transparent to both the source and
destination computers. A proxy server is not transparent; you must
configure a source computer to communicate with a proxy server.

In addition, the destination computer sends
network requests to the proxy server, which forwards the
communication back to the requesting computer. Proxy servers
usually work at Layer 4 (Transport) or higher of the OSI Reference
Model; NAT is a Layer 3 (Network) protocol.

Now that you understand the differences between
NAT and proxy servers, let’s examine four types of NAT.

Static

Also known as inbound mapping, static NAT maps
an unregistered/nonroutable internal IP address to a
registered/routable IP address on a one-to-one basis. This is
necessary when a network device needs to be accessible from outside
the network.

Example: Your mail server
has an IP address of 10.0.1.5 (a nonroutable IP address on the
Internet). Your NAT device translates that address to 202.0.1.5 (a
routable IP address).

Dynamic

Dynamic NAT maps an unregistered IP address to
a registered IP address from a pool of registered IP addresses.
Dynamic NAT creates a one-to-one mapping between unregistered and
registered IP addresses. However, this mapping varies depending on
the registered addresses available in the pool at the time of
communication.

Example: An internal client
has an IP address of 10.0.1.150. When this address tries to
communicate with an outside network, your NAT device translates it
to the first available address in the range of 202.0.1.50 to
202.0.1.100.

Overloading

Also known as Port Address Translation (PAT),
single-address NAT, or port-level multiplexed NAT, overloading is a
type of dynamic NAT that maps multiple unregistered IP addresses to
one registered IP address by using source port substitution before
it translates the network request.

Example: Your NAT device
translates all internal clients to a single routable IP address,
but it assigns each source session a different port before sending
it to the destination IP address.

Overlapping

Overlapping NAT occurs when the internal IP
addresses are routable but used on another network. The NAT device
translates these addresses to unique routable addresses before
forwarding the communication.

Organizations use this type of NAT when using
the same routable addresses for internal clients in physically
different locations on the network. You usually implement
overlapping NAT using dynamic DNS.

Example: Your NAT device
translates a client with an IP address of 202.0.1.50 (a routable
address also used by a different client in a physically different
location) to an address in the range of 202.0.2.50 to
202.0.2.100.

Final thoughts

Don’t worry that implementing NAT will cause a
performance decrease on your network. An entry in the address
translation table of your router takes about 160 bytes, and a
router with only 2 MB of DRAM can process 13,107 simultaneous
translations.

This should be sufficient for any small
network. In addition, keep in mind that adding memory to your
router can help if you encounter a problem.

When implementing NAT, most organizations
usually prefer the Dynamic NAT approach. It creates a Layer-3
firewall between the internal network and the Internet.

This way, computers on the Internet can’t
connect to the internal client unless the internal client initiates
the communication. Keeping hostile networks from connecting to your
internal clients is a good beginning to securing your network.

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE A large segment of internal and external modern business now takes place on computers, tablets and other mobile devices. The information technology infrastructure that has sprung up around that business can be daunting in its scope. This Hiring Kit from TechRepublic Premium provides an adjustable framework your business can use to find, recruit and ...

PURPOSE This grant writing guide from TechRepublic Premium will help you identify a grant that fits your idea, build a team to help you compile a proposal, and set a timeline to meet the application deadline. From the guide: BEFORE YOU START This list of steps will help the grant writing process go more smoothly. ...

PURPOSE These guidelines from TechRepublic Premium will help you define the necessary ingredients of a security policy and assist in its proper construction. They’re designed to work hand in hand with the subjective knowledge you have of your company, environment and employees. Using this information, your business can establish new policies or elaborate on those ...

Strengthen security by implementing Network Address Translation