Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Using NAT as a layer of defense

advertisement 
Using NAT as a layer of defense
Implementing Network Address Translation or NAT has become a common defensive strategy.
However, it’s important to weigh the advantages with the disadvantages before implementation.
The most common advantages associated with NAT are:
NAT hides all of your internal IP addresses by converting them to a single exit address.
You don’t have to decide whether to use provider-assigned or provider-independent
addresses. You can use private addresses internally and provider-assigned addresses for
your external NAT pool.
NAT makes migration from one ISP to another extremely easy. All you have to do is
update on entry in a DNS server to move from ISP to ISP.
Your internal address space can easily grow. Purchasing large blocks of IP addresses is
expensive. By using the private Class A addresses you can have 16,777,214 hosts for the
cost of a single public address.
You can use the easy DHCP feature that comes with most operating systems to
dynamically configure all your internal hosts, without running out of IP addresses.
You can use NAT to accomplish simple TCP load distribution through translation of one
Web server IP address to many internal addresses to distribute traffic across multiple
servers.
NAT does have it’s disadvantages:
If you use NAT, then your firewall or router becomes a stateful device and must maintain
the state of every connection. This creates a single point of failure for all traffic entering
and exiting your network.
There are performance issues that can arise with NAT. The IP header has a checksum that
includes the source and destination addresses and the Internet layer must recalculated the
checksum when the address changes. This typically isn’t a problem because the IP header
only calculates 20 bytes. However, the TCP or UDP checksum calculates the value for all
the data in the packet and is more processor intensive.
Some application protocols that embed IP addresses inside the application will not work
with NAT unless the protocol developer specifically supports this operation.
Multi-channel applications such as FTP and H-323 can be challenging. NAT normally
treats these two channels as unrelated and they fail.
Access control list based on source IP address is complex and difficult to initiate.
You cannot use IPSec through NAT. The authentication protocol, by definition, detects
alterations to an IP packet header. The receiving host will discard the packet because it
has been altered through NAT.
As with any network defensive tool, it’s important to weigh the advantages and disadvantages
before implementing. If none of the disadvantages apply to your current network. I highly
encourage using NAT combined with a private internal IP address structure. It’s probably the
cheapest defensive strategy that you’ll ever implement.
Related documents
Operating Systems - Shawlands Academy
Operating Systems - Shawlands Academy
File - DIVISION OF MALABON CITY
File - DIVISION OF MALABON CITY
Chapter 8
Chapter 8
Department of Computing Studies
Department of Computing Studies
Causes of the Civil War
Causes of the Civil War
Tutorial 11: Harvesting E-Mail Addresses and Other Evil Things November 21-23, 2007
Tutorial 11: Harvesting E-Mail Addresses and Other Evil Things November 21-23, 2007
Types of Computer - Shawlands Academy
Types of Computer - Shawlands Academy
Network Address Translation
Network Address Translation
File
File
NAT
NAT
January 2015 Monitoring Report
January 2015 Monitoring Report
Packet Tracer 5 3 8 2 - Class
Packet Tracer 5 3 8 2 - Class
File
File
NAT - David Choffnes
NAT - David Choffnes
NAT
NAT
Ch5- Study Guide
Ch5- Study Guide
NAT (Network Address Translation)
NAT (Network Address Translation)
Chapter 11
Chapter 11
IPNL: A NAT-Extended Internet Architecture
IPNL: A NAT-Extended Internet Architecture
Mod 01 Scaling IP Addresses
Mod 01 Scaling IP Addresses
doc - Student Learning Outcomes
doc - Student Learning Outcomes
S4 Assessment Week Schedule
S4 Assessment Week Schedule
Download
advertisement