– Chapter 6 – NAT and SecurityAn example: the DCSL networkPATAdvantages of using NATDrawbacks of using NATIs NAT sufficient for network security?Network Security 1– Chapter 6 – NAT and Security•Network Address Translation (NAT) is useful:–Hide internal private IP addresses–Conserve routable IP addresses on the Internet•RFC1918 Address Allocation for Private Internets. Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, E. Lear. February 1996.•Reserved IP addresses for private networks in RFC 1918 addressing scheme: –The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)Network Security 2An example: the DCSL network•Network diagram for the UHCL Distributed Computer Security Lab (D140, D158)–http://www.dcsl-uhcl.net/private/research/dcsl-03-22-2005-revised.htmlNetwork Security 3PAT•Port Address Translation•The PATing router translate the source and the destination addresses depending on the port number used.•Example: Figure 6-1 (p.130)Network Security 4Advantages of using NAT•The obvious advantage of using private address space for the Internet at large is to conserve the globally unique address space by not using it where global uniqueness is not required. •Enterprises themselves also enjoy a number of benefits from their usage of private address space: They gain a lot of flexibility in network design by having more address space at their disposal than they could obtain from the globally unique pool. This enables operationally and administratively convenient addressing schemes as well as easier growth paths.Network Security 5Drawbacks of using NAT•Renumbering of IP addresses may be needed in some cases:1. Once one commits to using a private address, one is committing to renumber part or all of an enterprise, should one decide to provide IP connectivity between that part (or all of the enterprise) and the Internet. 2. Another drawback to the use of private address space is that it may require renumbering when merging several private internets into a single private internet.Network Security 6Is NAT sufficient for network security?•No. It’s mainly a convenience measure.1. It cannot replace the functionalities of a firewall: NAT does not track packet sequence numbers, TCP handshake, and UDP progress-based timers, etc.2. It cannot replace a intrusion detection system:NAT does not concern itself with protecting the hosts from malicious data being sent on the NAT connections.3. It cannot replace an access control
View Full Document
Unlocking...