Impersonating the End User: Network Address Translation (NAT)

April 2008
M	T	W	T	F	S	S
« Mar		May »
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30

Posted by arlene

One of the main driving forces behind a new Internet protocol (IPv6) was the assumption that the 32-bit address used by IPv4 was not large enough to keep up with the quickly growing Internet. It was assumed that eventually the entire address space would be used up. Of course, other features of IPv6, such as the security enhancements, also are making it seem as though the Internet eventually will migrate to the newer protocol. However, when you think about how a proxy server works to use its own address instead of the address of the internal network client, it seems that the address space limitation imposed by the 32-bit address is not such a big issue anymore.

Because only addresses used by the proxy servers need to be valid and registered on the Internet, what prevents you from using any address range on the internal network? This concept, known as network address translation (NAT) is widely used today for just this purpose. The proxy server uses these addresses with valid IP addresses to conduct business for its clients.

You can use practically any address range for the workstations on the LAN. However, RFC 1597, “Address Allocation for Private Internets,” specifies a range of addresses that are set aside for private networks. When computers on the inside network need to communicate with each other, they use their actual addresses. The proxy server also has an address that falls within this range so that it can talk to both the private LAN and the Internet.

These ranges of IP addresses are exclusively set aside by the RFC for private networks, and cannot be used on the Internet. These are the address ranges:

10.0.0.0-10.255.255.255

169.254.0.1-169.254.255.254

172.16.0.0-172.31.255.255

192.168.0.0-192.168.255.255

You can accomplish several things by using these addresses for computers inside your network:

Your business needs to buy only a small address range from your ISP to use on the firewall or routers that connect your network to the Internet.
You can now use a huge address space inside your network without having to apply for a large range of addresses from your ISP.
You can use NAT for address vectoring; that is, you can let the router represent your Web service on the Internet using a single address, yet load balance the incoming requests across several servers inside the network.

Advantages and Disadvantages of a Proxy Server

As with every type of firewall, you can say good and bad things about proxy servers. Their capability to hide the identity of workstations on your network is a definite plus. Packet filters don’t do that. Proxy servers are usually highly customizable, and most come with a graphical interface to make the management chores a little more understandable than those that use a command-line set of cryptic instructions.

One thing packet filters usually excel at when compared to proxy servers is speed. Filtering a packet is not much more complicated than any other task a router does. It already must look at the information contained in the header so that it can make routing decisions. Checking a table of addresses to determine which ones are allowed and which are not isn’t much different from checking the routing table to decide where to forward a packet.

More about: Impersonating the End User: Network Address Translation (NAT)

April 6th
Filed under: Business, Security, Web Service

Web 2.0 Calendar

Web 2.0 Categories

Web 2.0 Archives