NAT and Security


Posted on by Divya Aradhya

What is NAT?

NAT stands for “Network Address Translation”. It is a table maintained by the router.
What does a NAT router do?

A NAT router creates a local area network (LAN) of private IP addresses and interconnects that LAN to the wide area network (WAN) known as the Internet. It allows multiple computers connected to the LAN behind the router to communicate with the external Internet. One of the key benefits of NAT routers is that the router appears to the Internet as a single machine with a single IP address. This effectively masks the fact that many computers on the LAN side of the router may be simultaneously sharing that single IP.1 This is good for the Internet since it helps to conserve the Net’s limited IPv4 space.

What is the capacity of IPv4?

IPv4 is the fourth version of the Internet Protocol. It uses 32-bit addresses, and can thus have a maximum of232 (4,294,967,296), approximately 4.29 billion addresses.
NAT and Security
Although NAT routers are not generally purchased for their security benefits, all NAT routers inherently function as low-end hardware firewalls and they prevent potentially annoying or dangerous traffic from the public Internet from passing through the router and entering the user’s private LAN network. 1
However, if any malware or Trojan software were to somehow get onto any one of the machines, and that machine is on the LAN with all of the others (as it normally is), the malicious software would have access to every other uninfected machine sharing the once-secure LAN. By sending “ARP broadcasts” to the LAN, an infected machine can determine the IP and “MAC” addresses of every other machine on the LAN and go to work on them.1

IPv6
The sixth version of the Internet Protocol does not need the NAT. IPv6 solves two problems.

The primary one is that is no longer limited as IPv4 and doesn’t require a NAT to help reduce the number IPs exposed on the Internet. IPv6 uses 128-bit addresses and can potentially have 2128 (around 3.4×1038) addresses. IPv6 also does away with the weak one-way security that the NAT offers, and eliminates the network vulnerability. 2 In addition, it forces the requires the LAN to compulsively have a dedicated firewall.
References:
1. Gibson, S. (n.d.). GRC | NAT – The Security of Network Address Translation. Retrieved fromhttps://www.grc.com/nat/nat.htm

2. Beijnum, I. (n.d.). Network Address Translation (NAT) – an in-depth look. Retrieved fromhttp://ipv6.com/articles/nat/NAT-In-Depth.htm