Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Address Translation (NAT) CS-480b Dick Steflik.

Published byHerbert Williams Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Address Translation (NAT) CS-480b Dick Steflik."— Presentation transcript:

1 Network Address Translation (NAT) CS-480b Dick Steflik

2 Network Address Translation RFC-1631 A short term solution to the problem of the depletion of IP addresses Long term solution is IP v6 (or whatever is finally agreed on) CIDR (Classless InterDomain Routing ) is a possible short term solution NAT is another NAT is a way to conserve IP addresses Hide a number of hosts behind a single IP address Use: 10.0.0.0-10.255.255.255, 172.16.0.0-172.32.255.255 or 192.168.0.0-192.168.255.255 for local networks

3 Translation Modes Dynamic Translation (IP Masquerading) large number of internal users share a single external address Static Translation a block external addresses are translated to a same size block of internal addresses Load Balancing Translation a single incoming IP address is distributed across a number of internal servers Network Redundancy Translation multiple internet connections are attached to a NAT Firewall that it chooses and uses based on bandwidth, congestion and availability.

4 Dynamic Translation ( IP Masquerading ) Also called Network Address and Port Translation (NAPT) Individual hosts inside the Firewall are identified based on of each connection flowing through the firewall. Since a connection doesn’t exist until an internal host requests a connection through the firewall to an external host, and most Firewalls only open ports only for the addressed host only that host can route back into the internal network IP Source routing could route back in; but, most Firewalls block incoming source routed packets NAT only prevents external hosts from making connections to internal hosts. Some protocols won’t work; protocols that rely on separate connections back into the local network Theoretical max of 2 16 connections, actual is much less

5 Static Translation Map a range of external address to the same size block of internal addresses Firewall just does a simple translation of each address Port forwarding - map a specific port to come through the Firewall rather than all ports; useful to expose a specific service on the internal network to the public network

6 Load Balancing A firewall that will dynamically map a request to a pool of identical clone machines often done for really busy web sites each clone must have a way to notify the Firewall of its current load so the Fire wall can choose a target machine or the firewall just uses a dispatching algorithm like round robin Only works for stateless protocols (like HTTP)

7 Network Redundancy Can be used to provide automatic fail-over of servers or load balancing Firewall is connected to multiple ISP with a masquerade for each ISP and chooses which ISP to use based on client load kind of like reverse load balancing a dead ISP will be treated as a fully loaded one and the client will be routed through another ISP

8 Problems with NAT Can’t be used with: protocols that require a separate back-channel protocols that encrypt TCP headers embed TCP address info specifically use original IP for some security reason

9 Services that NAT has problems with H.323, CUSeeMe, VDO Live – video teleconferencing applications Xing – Requires a back channel Rshell – used to execute command on remote Unix machine – back channel IRC – Internet Relay Chat – requires a back channel PPTP – Point-to-Point Tunneling Protocol SQLNet2 – Oracle Database Networking Services FTP – Must be RFC-1631 compliant to work ICMP – sometimes embeds the packed address info in the ICMP message IPSec – used for many VPNs IKE – Internet Key Exchange Protocol ESP – IP Encapsulating Security Payload

10 Hacking through NAT Static Translation offers no protection of internal hosts Internal Host Seduction internals go to the hacker e-mail attachments – Trojan Horse virus’ peer-to-peer connections hacker run porn and gambling sites solution = application level proxies State Table Timeout Problem hacker could hijack a stale connection before it is timed out very low probability but smart hacker could do it Source Routing through NAT if the hacker knows an internal address they can source route a packet to that host solution is to not allow source routed packets through the firewall

Download ppt "Network Address Translation (NAT) CS-480b Dick Steflik."

Similar presentations

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Defining Network Infrastructure and Security

Defining Network Infrastructure and Security
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.

Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.
Firewalls CS-455 Dick Steflik. Firewalls Sits between two networks –Used to protect one from the other –Places a bottleneck between the networks All communications.

Firewalls CS-455 Dick Steflik. Firewalls Sits between two networks –Used to protect one from the other –Places a bottleneck between the networks All communications.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Similar presentations

Ads by Google