Understanding NAT

Support for Network Address Translation (NAT) is an essential feature in many of today's Internet security products. The Internet Engineering Task Force (IETF) Request for Comments (RFC) 1631 defines NAT. It is a set of standards that lets an Internet-connected host act as an Internet gateway for internal LAN clients by translating the clients' internal network IP addresses into the appropriate address on the NAT-enabled gateway device. NAT technology protects internal client IP addresses and makes them inaccessible to Internet hosts, providing a high level of security. In addition, NAT reduces IP address procurement costs because you only need the single routable Internet address on the NAT device. NAT is also transparent: The internal network clients don't require special software or configuration to establish Internet connections; they just need to ensure that the NAT device is the default gateway to the Internet. These benefits have made NAT support a standard feature on all Internet gateway devices.

Microsoft Internet Security and Acceleration (ISA) Server's NAT implementation is SecureNAT. This product provides the security and client-transparency benefits of traditional NAT support as well as functionality that further augments ISA Server's security. Many NAT implementations provide no means of controlling or limiting Internet access for specific machines or traffic types. SecureNAT lets you control all traffic that passes through the ISA Server system. So, you can control Internet sessions from clients—even clients without client firewalls—via session attributes, such as the source or destination IP address or the protocol type in use. In addition, because ISA Server is the Internet gateway and enforces the security policies that you've defined, SecureNAT ensures that clients can't bypass security policies.

NAT is a standard feature of Windows 2000 Server's Routing and Remote Access Service (RRAS) and Win2K Professional's Internet Connection Sharing (ICS) component. (For more information about Win2K's NAT and ICS features, see "Windows 2000's Network Address Translation.") However, SecureNAT contains a superset of the NAT features found in RRAS and ICS. So, if NAT is installed or ICS is enabled for any network connection, remove it before installing ISA Server to prevent conflicts.

Several protocols and applications can't work through a NAT implementation, such as some game protocols and those that embed client IP addresses within their packets. Also, if you need to use Security Accounts Manager (SAM) or Active Directory (AD)-based users or groups to secure Internet access, SecureNAT can't help you. You must install the included firewall client software (e.g., Proxy Server's Winsock client) on each client.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish