[Courses] [Security] Firewall theory -- UDP and nameservers

jennyw jennyw at dangerousideas.com
Fri Mar 22 11:18:02 EST 2002 

From: "Jenn Vesperman" <jenn at anthill.echidna.id.au>
> The diehard IPv4 addict's 'solution' to running out of real addresses.
> Once we force them all to move to IPv6, NAT will vanish.

There are reasons to use NAT even if you have tons of addresses, for example
if you don't have your own set of IP addresses (I remember when it was easy
to get a Class C!) and are using a CIDR block from your ISP. This way, if
you ever change providers, you don't have to readdress your systems. Also,
as someone else mentioned, there are improvements to security when using NAT
(it hides info on your network and can also make it harder to get to
workstations).

There are several types of NAT. The one that's been mentioned so far is also
called IP masquerading or hiding NAT -- where one external IP is exposed to
the rest of the world. All outgoing traffic on a network (or from specified
sets of IP addresses) appear to come from this IP address.  All traffic
coming back in will be sent to the appropriate computer based on the source
port, as someone mentioned earlier. There's also IP forwarding (also called
static NAT), which is where you have an external IP that may be forwarded to
an internal IP. For example, routable address a.b.c.d might be routed to
192.168.1.4, which could be a Web server. This is common for computers
living in a DMZ. Port forwarding is another type of NAT. You could forward
a.b.c.d:80 to one machine and a.b.c.d:25 to another machine.

NAT can cause some problems with some protocols. I know when IPSEC
implementations first came out, many couldn't work through NAT, because IP
addresses were encapsulated inside the packets. Oracle SQL*Net was the same
way.

NAT between VPNs is also tricky because you need to make sure both networks
have unique addresses. You couldn't, for example, connect two offices that
used 192.168.1.x because there could be duplicate addresses. If you wanted
to connect them, one of them would have to use another addressing scheme
(e.g. 192.168.2.x).

Jen

More information about the Courses mailing list