NAT is a mechanism that translates IP addresses within private, internal networks to another range of IP addresses for transport over an external network (such as the internet or HSCN). Incoming traffic is translated back for delivery within the inside network by the NAT technology.
NAT is a widely used technology that permits the manipulation of IP traffic. Further details can be found in the Internet Engineering Task Force (IETF) Request for Comments (RFC) 1631. In using NAT it may be necessary to consider the practicalities of logging, as well as source/destination access control policies, as NAT manipulates the headers of IP packets, and effectively breaks the end to end Transmission Control Protocol/Internet Protocol (TCP/IP) connection. If considering using NAT it is prudent to establish full logging and auditing policies beforehand, to ensure compliance with good practice guidelines for auditing the use of shared IP addresses.
NAT is a technology that is prevalent in Internet Protocol version 4 (IPv4) networks, where IPv4 public internet addresses are a limited resource. Because of the continuing expansion of the World Wide Web (WWW), and other internet based services demanding IPv4 addresses, it is no longer an option for organisations to obtain additional public IPv4 address space to interface public facing systems, and so NAT has become a necessity for many network designs.
NAT typically takes place at the boundary between an organisation's internal network and any external network gateway, and allows a multitude of private (RFC 1918) IP addresses to use a limited pool of public IP addresses, or a single address if necessary.
NHS organisations typically use NAT to interface between their local sites and the N3 network, whilst home workers may well use NAT within their local router to interface to their internet service provider (ISP).
There are many types of NAT offering many different benefits as well as limitations - the types of compatible applications or the levels of auditing that are applicable at the end service level, for example.
With NAT the border device, typically a router or firewall, uses stateful translation tables to map the private 'hidden' IP addresses to the single address (or pool) and then rewrites the outgoing IP packets on exit so that they appear to originate from the border device. In the reverse communications path responses are mapped back to the originating IP address using the rules (or 'state') stored in the translation tables. The translation table rules established in this fashion are flushed after a pre-determined period, unless new traffic refreshes their state.
The border device can contain two types of NAT table entries, dependent on the NAT method in use:
- Dynamic entries - where multiple internal (private) IP addresses are translated in to a single external IP address, or a pool of external IP addresses
- Static entries - where internal and external IP addresses are mapped one-to-one.
In large deployments the masking of unauthorised use of the network, using NAT, can be of serious concern. When faced with possible illegal activities external to the local source network, investigation and discovery of the originating machines within the network can be extremely difficult if detailed logs are not kept.
Port Address Translation
Port Address Translation (PAT), or Network Address Port Translation (NAPT) as it is also known, is a common form of IPv4 NAT. Also known as a 'hide NAT', PAT maps connections from many internal addresses to a single external IP address by using multiple ports that create and handle connections.
These connections are held in a state table to preserve and maintain this connectivity. Because of the design of the TCP/IP protocol, well known ports (0-1023) are not used, leaving ports 1024 to 65535 to be mapped against a single external IP address.
Whilst over 64000 connections could be mapped against a single IP address it is considered good practice not to exceed 40000. If this limit is regularly exceeded performance issues may be encountered, at which point the use of a second IP address, or pool of IP addresses, should be considered. It can sometimes be difficult to retrospectively build this into an existing solution; therefore it should be factored into the design from the outset.
As a result of this mapping process it is not possible for an external host to create a connection directly to an internal host because the end-to-end connection is effectively terminated at the border device.
Although in the first instance this can appear to be a limiting factor for the usefulness of PAT, this process also has its benefits. It provides a very simple yet effective method of protecting internal hosts from external attack at the network level.
Audit and administration considerations
PAT is often utilised in home environments or in large scale deployments.
From an administrative point of view PAT is the simplest to implement, only requiring the entry of a static rule to run effectively. Auditing, on the other hand, can generate large log files dependent on the level of information required and the amount of traffic passing through the border device.
Without these detailed logs it is very difficult to track individual connections made through PAT. In addition, restrictions at the destination service may be difficult to enforce.