Guide to Network Address Translation

Every intelligent MSP technician has an understanding of the three-letter acronyms that enable networks to function and allow traffic to flow. Network address translation, commonly referred to as “NAT”, is one of them. Without network address translation, traffic would never be able to make it past the routing device. Here is a quick breakdown of what NAT is and why we need it, and an overview of NAT tools and the security issues that go along with it.

Network Address Translation Definition

Network address translation is the remapping of IP addresses, be it by single address or subnet, via routing devices. As IP addresses are remapped, or translated, they are effectively hidden behind another IP address. This translation happens at layer three, the network layer, of the OSI model.

The most common example of this is on a home or business network. Opening a command prompt and using the ‘ipconfig’ command returns the local IP address of the device, often something in the privately designated 192.168.1.0/24 subnet. From the same device, visiting a site such as Google and using the “What is my IP address” search query returns a public IP address; generally, the IP address is assigned to the public side of the gateway router.

Types of Network Address Translation

There are three different types of NAT: static, dynamic, and port address translation. Here is a breakdown of each of them.

• Static network address translation is where a single public IP address is directly mapped to a single private IP address. This can be used in examples of hosted distributed servers, such as web and FTP servers.
• Dynamic network address translation maps a group of public IP addresses to internal private IP addresses. This is similar to static NAT and is often used in larger corporate environments that may have use for multiple public IP addresses.
• Port address translation is when multiple private IP addresses are mapped to a single public IP address. Each private address must be configured to respond on an individual port for this to work properly.

Further reading Guide to Subnets and IP Addressing

How NAT Helps Average Users

The most basic concept in order to understand the power of network address translation is this: there is a finite number of IP addresses available for use - 4,294,967,296, to be specific. If every PC on the internet was assigned an individual, public-facing IP address, they would run out pretty quickly.

Thanks to network address translation, we don’t need to worry about this. Rather than each internet-facing device having a public IP address, NAT allows gateway routing devices to be assigned one public-facing IP address which “represents” all of the devices behind it.

How NAT Helps Network Administrators

Network administrators can use network address translation to direct traffic. Networks that host servers that need to be publicly available, such as web and FTP servers, can make these easily accessible to the outside world, thanks to NAT. This can either be done simply via one-to-one static NAT or with security in mind via port address translation.

With port address translation, traffic direction can be set up with non-standard ports. This adds a new layer of security, making it harder for bad actors to find these servers that are being made accessible via NAT. While network security generally should be approached at multiple levels, this is a great way to deflect intrusion attempts from the front end of the network.

NAT Tools

The most popular way to administer network address translation is through network routing devices. The simplest way to break this down is with three different class levels.

• Basic consumer class - Many times, it is an on/off option. This is most often found in internet service provider modems that offer routing capabilities.
• Small office/home office - These devices will offer one-to-one NAT as a standard feature. This can be used for effective traffic forwarding for those who need it.
• Enterprise-level - This level of routing device should offer every dimension of effective network address translation. This includes one-to-many NAT and port address translation.

Security Considerations

As with any other networking protocol, every managed service provider technician should have security in mind when implementing and administering network address translation. Here is a breakdown of things to consider:

Man-in-the-Middle Attacks

The name is fairly self-explanatory: an intruder accesses the configuration and redirects traffic or retranslates addresses, all with the intent of disruption or some other evil aim.

Man-in-the-middle attacks are best prevented by following standard security measures. All network address translation devices should be protected with a strong password that is changed often and only accessible to the public from selected sources and over non-standard ports.

Out of Date Configurations

MSPs should have a quality assurance team available to make sure that all routing policies, including network address translation, are kept up to date and accurate. Furthermore, whenever changes are made to a NAT server, the technician involved should review to be sure that the changes that are being made don’t render other rules out of date.

Further reading Network Security Best Practices

Conclusion

Network address translation, when used appropriately, is a valuable resource to managed service providers. It can be used to direct traffic as needed and helps to conserve IP addresses in the public space. While there are different types of network address translation based on need, there are tools to use and security considerations to be made for each case.

Now that we’ve made network address translation easier to understand, this is a great time to do a little research to see how it can be better used to help your managed service provider and its clients today.