14 DAY TRIAL // Many of you have heard of NAT and how it can protect your network or simply make connectivity easier. But what is NAT exactly? What does it stand for? How does it work? Few can answer these questions. There are different definitions on the web but many of them are beyond the comprehension of the average user.
Basically, NAT (Network Address Translation) is all about LAN (Local Area Network) computers sharing the same Internet connection. It allows multiple computers in a private network to access the Internet using the same public IP address provided by the ISP (Internet Service Provider). It also functions as a basic protection method as it limits the external contact to your local network. The machines outside your network will see only one IP address (the public one) while you can have multiple computers behind the NAT, all of them being assigned private IPs.
Network Address Translation can be found both in hardware devices such as different types of gateway devices and routers or it can be totally implemented in software (see Internet Connection Sharing from Microsoft).
The utility of Network Address Translation is evident from both the network administration point of view as well as security of the internal network; the administrator can divide a large network as s/he pleases without any special settings to be made. As all computers are contacting the Internet through a single public IP, machines in the network can be added and deleted without notifying the external network.
A very useful feature of NAT is traffic logging. All communications to and from the local network have to pass through a network address translating process and it can be recorded to a log. This way, you can see every website and connection made.
The advantage of NAT is that is supports multiple internal (private IP) and external (public IP) addresses. And it supports both static and dynamic IP mapping. Static NAT consists in a one-to-one mapping of private IP address to public IP. This means that you can map an IP on your local network to an IP address you want to make public. This type of NAT is specifically useful if you have a server in your LAN that you want to be accessed from outside the network by public users.
For public users to be able to access your server you will have to create a NAT rule in order to map the server address to a public address. This way, only the public address will become public information and the private info stays private and out of malicious hands.
Dynamic NAT on the other hand is securing the LAN by masking the internal configuration of the network, thus making it difficult for outsiders to monitor usage patterns. It also allows using invalid IP addresses on the Internet inside the local network. It acts as a firewall between the internal network and the public (outside one). That translates in a computer part of an outside network not being able to connect to your computer unless you initiate contact.
Nowadays, all broadband routers use Dynamic NAT, as they are designed for home use and offer an improved protection for your network. Although not visible at a first glance in the router's settings, Static NAT is also available. It can generally be accessed in the DMZ settings (De-Militarized zone). Once you put a computer in the DMZ it will be automatically removed from behind the Dynamic NAT wall and expose the ports to the WAN connection.
PAT (Port Address Translation) functions in a similar way to NAT, but it deals with communication ports used by the computers in the network. PAT technology translates the TCP or UDP between host and port on an outside network. Practically, the TCP/IP port of a computer behind the router is changed to another one known only inside the network.
Also known as NAT Overload (or simply "overloading"), PAT technology allows the NAT-enabled router to permit access of the computers in the network to the Internet through the public IP given by the ISP. When communication to the outside network from a non-routable IP (private) is attempted, the router will automatically "record" the IP address and the port number to the address translation table.
The router has now a mapping of the computer and when packages come back from the destination (outside the network) it is a simple matter of identifying the sender by IP and the port used for communication. Now the router can send the packet to the corresponding computer. This operation will take place as long as the local computer is communicating with the external machine.
The NAT-enabled router functions as a "middle-man" between local computers and external system. It's job is to translate the IPs in the network and communication ports used by mapping the local machines. This way, the local information is not visible to the outside and the attacks are greatly reduced.
