How Does NAT Work?
NAT works by having a firewall act as an intermediary for traffic entering and leaving the protected network. Inbound traffic is directed to a public-facing IP address, which is translated to an internal IP address to the firewall before sending the traffic on to its destination. Outbound traffic’s source addresses are similarly updated from private, internal IP addresses to public, external ones.
The technology works similarly to many organizations’ phone systems. The company publishes a single, public number for external callers. Once a customer calls this number, they are transferred to a specific internal phone based upon the details of their request.
Importance of NAT
NAT has a few different benefits, but one of the most significant is that it has dramatically increased the scalability of the IPv4 addressing scheme. The IPv4 scheme has less than 4.3 billion possible addresses, and there are over 20 billion devices connected to the Internet.
With a one-to-one mapping of IP addresses to devices, the IPv4 protocol’s pool of available addresses would have been exhausted years ago, forcing a switch to IPv6. However, with NAT, many Internet-connected devices can share the same public-facing IPv4 address, which has enabled the IPv4 standard to scale to meet demand.
Types of Network Address Translation
NAT can be implemented in a few different ways, including:
- Static NAT: Static NAT maps an internal IP address to an external one on a one-to-one basis. This doesn’t help with the scalability of IPv4 but does make a system reachable from outside of the network without disrupting internal addressing schemes.
- Dynamic NAT: With Dynamic NAT, a firewall has a pool of external IP addresses that it assigns to internal computers as needed. Like Static NAT, this creates a one-to-one mapping between internal and external IP addresses; however, these mappings are not permanent.
- Port Address Translation (PAT): PAT is used to create many-to-one mappings between internal and external IP addresses. The firewall uses the same IP address for multiple systems but assigns a different TCP or UDP port to each. Since a single IP address can have 65,535 ports associated with it, PAT allows a single external IP address to represent thousands of devices on a private network. PAT is the application of NAT that allows IPv4 addresses to scale.
NAT Configuration
The details of a NAT firewall configuration depend on the type of NAT used by an organization. For example, Static NAT and PAT may have a single external IP address, while Dynamic NAT has several.
For all NAT configurations, an organization is able to use private IP addresses within their local area networks (LANs). The IPv4 ranges 10.0.0.0/8, 172.16. 0.0/12, and 192.168. 0.0/16 are intended for internal use only. Devices within an organization’s LAN can be assigned one of these addresses, but these addresses are not routable outside of the organization’s network.
The translation process from internal, private address to external, public address depends on the NAT scheme used. In all cases, traffic will have to pass through a firewall that performs the translation. This firewall can rewrite the headers of inbound and outbound packets based on internal lookup tables, converting between IP addresses or assigning traffic to a particular port on a shared address.
How Does Network Address Translation Improve Security?
In addition to improving the scalability of IPv4, NAT also provides significant security benefits. These include:
- Boundary Enforcement: With NAT, the private IP addresses used inside the corporate LAN are not routable from outside. This enforces network boundaries and forces traffic to flow through the network firewall because external systems don’t know which computer to contact even if they had the ability to bypass the firewall. By forcing traffic to flow through a next-generation firewall (NGFW), NAT ensures that all inbound and outbound traffic can be inspected before being routed on to its destination.
- Improved Privacy: NAT makes an organization’s internal network structure opaque from outside of the network. External systems see a single IP address or a set of frequently changing ones, making it difficult to create a map of an organization’s internal network for use in later attacks.
NAT in Check Point NGFW
NAT can help to bolster an organization’s security by forcing all traffic to pass through a network firewall. However, this only provides security benefits if that firewall can detect and block malicious network traffic. To learn more about what to look for in an NGFW, check out this buyer’s guide.
Check Point NGFWs offer high-performance NAT functionality as well as enterprise-grade threat prevention capabilities. To see Check Point firewalls in action, you’re welcome to sign up for a free demo.
