How to correctly apply Network Address Translation (NAT) Technical Preface: With the continuous exponential speed growth, the precious network address is allocated to a private network to be considered a waste of valuable virtual real estate. There is therefore a network address translation (NAT) standard, which is to leave some IP addresses for dedicated network reuse. This article will tell you how to apply network address translation NAT technology. I. NAT technology definition NAT English full name is Network Address Translation, named network address transformation, it is an IETF standard, allowing a mechanism to appear on the Internet in an address. NAT converts the address of each local area node into an IP address and vice versa. It can also be applied to firewall technology, hiding individual IP addresses and not being discovered by the outside world, making the outside world unable to access internal network devices, and it also helps the network can transcend the address limit, reasonably arrange the public Internet address in the network. And the use of private IP addresses. Second, the basic principle and type of NAT technology 1, NAT technology basic principle NAT technology can help solve the problem of headache IP address, and can make internal and external network isolation, provide certain network security. It solves the problem is: use internal addresses in the internal network, translate internal addresses into legitimate IP addresses on the Internet with NAT, which is to replace the address domain within the IP package with legal IP addresses. . NAT features are typically integrated into routers, firewalls, ISDN routers, or separate NAT devices. The NAT device maintains a status table to map illegal IP addresses to legitimate IP addresses. Each package is translated into a correct IP address in the NAT device, which means that the next level, which means a certain burden to the processor. But for a general network, this burden is insignificant. 2, NAT technology Type NAT has three types: static NAT (static nat), dynamic address NAT (Pooled NAT), network address port conversion napt (port-level nat). One of the most simple and easier implementations of static NAT are set, each host in the internal network is permanently mapped into an legal address in the external network. The dynamic address NAT is defined in the external network, which is mapped to the internal network with dynamic allocation. NAPT is on different ports that map the internal address to an IP address of the external network. According to different needs, the three NAT programs have their own advantages and disadvantages. Dynamic address NAT is only converted to the IP address, which assigns a temporary external IP address for each internal IP address, mainly to dialing, and dynamic NAT can also be used for frequent remote coupling. When the remote user is connected, the dynamic address NAT will assign him an IP address. When the user is disconnected, this IP address will be released and left later. Network address port conversion Napt (Network Address Port Translation) is a more familiar way. NAPT is generally applied to access devices, which can hide the small and medium-sized network behind a legitimate IP address. NAPT is different from the dynamic address NAT, which maps the internal connection to a separate IP address in the external network while adding a TCP port number selected by the NAT device. When using NAPT in the Internet, all Different TCPs and UDP information flow seem to be derived from the same IP address. This advantage is very practical in the small office. By accessing multiple connections through the NAPT to the Internet by an IP address applied by the ISP. In fact, many SOHO remote access devices support PPP-based dynamic IP addresses.
In this way, ISP does not even need to support NAPT, you can do multiple internal IP addresses to share an external IP address, although this will lead to a certain congestion of the channel, but considering the savings of ISP Internet fees and easy management features, NAPT is still worth it. Third, using NAT technology NAT technology in the Internet, all machines in your area network can be outgoing through a Server to the Internet, and only one IP of the Server is enough. Before there is no NAT technology in the past, we must install SOCKD on Server, and all clients must support SOCKD to connect out through Server's SOCKD. The biggest problem in this way is, usually only Telnet / FTP / WWW-Browser support SOCKD, and other programs cannot be used; and the speed of SOCKD is slightly slow. So we use the network address to convert NAT technology, so that Client does not need to do anything, you only need to set Gateway to the server, and all programs (such as Kali / Kahn, etc.) can be used. The simplest NAT device has two network connections: one connection to the Internet, one connection to a private network. The private IP address is used in the dedicated network (sometimes also known as the NetWork 10 address, the address is used to send the address from 10.0.0.0), and the packet is sent directly to the NAT device directly on the Internet. Different NAT devices with ordinary routers actually modify the header, turn the source address of the private network into the NAT device's own Internet address, and the normal router only forwards the packet to the destination to read the source address and destination address. Fourth, the security policy for applying NAT technology 1. Apply NAT technology security issues When using NAT, the host surface on the Internet is used directly to communicate directly with the NAT device, not the actual host communication in the private network. The input packet is sent to the IP address of the NAT device, and the NAT device converts the destination header address by its own Internet address to a dedicated network address of the true destination host. The result is that there is a host of hundreds, thousands and even millions of hosts with a special address after a global unique IP address. However, this actually has a defect. For example, many Internet protocols and applications rely on real end-to-end networks, on which network, packets are not modified from the source address to the destination address. For example, the IP security architecture cannot be used across the NAT device because the original Baotou containing the original IP source address uses a digital signature. If you change the source address, the digital signature will no longer be effective. NAT also made management challenges to us. Although NAT is a nice solution for organizations, branches or sectors missing enough global unique Internet addresses, but when recombinant, mergers or acquisitions need to integrate two or more dedicated networks, it It has become a serious problem. Even in the case of organizational structure, the NAT system cannot nest in multiple layers, resulting in a roadmaking. 2. Apply a security policy for NAT technology When we change the IP address of the network, we must carefully consider what impact on the existing security mechanism in the network. For example, the firewall determines whether the data package is passed according to the TCP port number, the SSO address, the source address, and other information contained in the IP header. The firewall filtering rule can be changed according to the position where the NAT device is located, because NAT changes the source or resource address. If a NAT device, such as an internal router, it is placed on one side protected by the firewall, which will have to change all security rules responsible for controlling the network traffic after the NAT device. In many networks, NAT mechanisms are implemented on firewalls. Its purpose is to enable the firewall to provide a dual control function for network access and address translation.
Unless it can strictly define which network connection can be performed in NAT conversion, do not place the NAT device outside the firewall. Any naughty hacker, as long as he enables NAT mistakes to think that his connection request is allowed, you can access your network as an authorized user's identity. If the company is moving towards the frontier of the network technology, and when using the IP Security Protocol (IPSec) to construct a virtual private network (VPN), the incorrect placement NAT device ruined the plan. In principle, the NAT device should be placed on one of the protected VPN because NAT needs to change the address domain in the IP header, and this domain cannot be changed in the IPsec header, which makes accurately known the original packets. From which workstation is from it. If the IP address is changed, the security mechanism of IPsec is invalid, because since the source address can be changed, the content of the message is not used. Then NAT technology we should use the following strategies in the system: 1 Network address conversion module NAT technology module is the core part of this system, and only this module is related to the network layer, so this part should be related to the network layer of the UNIX system itself. Partially closely combined or modified directly. This module is further subdivided into a package exchange sub-module, a data packet header replacement sub-module, a rule processing sub-module, a connection sub-module, and a real address allocated submodule, and a transport layer filter sub-module. 2 Concentration Access Control Module Concentration Access Control Modules can be further subdivided into requesting authentication sub-modules and connecting the relay sub-modules. The request authentication sub-module is primarily responsible and authenticated to exchange various identity authentication information through a trusted security mechanism to identify the legal user, and determine the subsequent connection form according to the priority of the user pre-given. The main function of the connection of the relay sub-module is to establish a final unsuccessful connection channel, and transmit authenticated user identity information to the internal server in the case of need to complete the authentication process required in the relevant service protocol. . 3 Temporary access port table In order to distinguish the service object of the packet and prevent the attacker from the connection to the internal host, the gateway uses the temporary port, protocol type, and internal host address used by the internal host in the temporary port using the table. . Since the gateway does not know the temporary port that the internal host may be used, the temporary port use table is dynamically generated by the gateway based on the received packet. For packets, the firewall only allows the access control table license or the temporary port using the table registered packet. 4 Certification and Access Control System Authentication and Access Control Systems include user authentication modules and access control modules to implement user identification and security policies. The user authentication module uses one-time password authentication technology to realize the identification of remote and local users, protect legitimate users' access and limit access to illegal users. It uses two Telnet and Web implementations to meet the application needs of users in different system environments. The access control module is based on the autonomous access control policy (DAC), which uses the ACL, and determines whether the user authorized access to the user according to the user (group), address (group), service type, service time, and other access control factors. 5 Network Security Monitoring System Monitoring and Intrusion Detection System as system-end monitoring process, responsible for receiving all information entered the system, analyzing and classifying the packet, issuing alarm information on possible intrusion; simultaneous users Illegal access and illegal users' access, the monitoring system will disconnect the connection in time and track the tracking check. 6 WEB-based firewall management system management system is responsible for network address conversion modules, centralized access control modules, authentication and access control systems, monitoring systems, etc. System configuration and monitoring.
