S 5.70 Network address translation (NAT)

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

When existing networks are connected to the Internet, it is often not possible to use the current IP addresses because they have already been assigned to other computers in the Internet. So as not to have to reconfigure all of the computers, it may make sense to carry out an address translation from the internal addresses to the officially registered external addresses. The assignment of IP addresses in the local network also allows conclusions to be drawn about the network's structure. Knowledge of this could be exploited by a potential attacker. It is often also the case that more IP addresses are required in the local network than are officially registered.

Translation of the internal addresses into one or more officially registered IP addresses and vice versa can be performed via a proxy server or some other address translation component. This makes only the official address available on the external side, and forwards the packets to the respective internal computers. As only the external addresses are used externally and only the internal addresses internally, address translation has to take place at the gateway of the local network to the Internet.

Some routers and packet filters offer the option of address translation without the use of a proxy. In this case the headers of all IP packets are changed in the router or packet filter. This can be done either statically or dynamically. Static address translation is simple and fast. Every internal address is assigned to exactly one external address. For this it is of course necessary to have one external address for each internal address.

Today it is more common to use dynamic address translation. Especially when the number of internal IP addresses is larger than that of externally visible addresses, it is a requirement. An allocation table is maintained in the router or packet filter. In this table, the internal addresses with the associated port number of a packet are set against an external address with a new port number. Frequently only one IP address is made visible to the outside; this hides all internal IP addresses by means of the allocation of port numbers. One consequence of dynamic address translation is that it is normally not possible to set up a connection to an internal computer from the Internet.

If IP addresses that have already been assigned in the Internet are used internally, the Internet computer concerned can no longer be accessed from within the local network. As a way out, it is possible to fall back on various ranges of IP addresses that are not assigned in the Internet (known as private IP addresses). Certain services have to be given special treatment in relation to address translation (e.g. traceroute or ftp).

In order to ensure that no information about the structure of the organisation's own network is made known to the outside, address translation should be performed at the Internet gateway.

Additional controls:

• Are the internal addresses and internal network structure not made known to the outside?