Page 465 - StudyBook.pdf
P. 465

Topologies and IDS • Chapter 7  449


                   Deploying a NAT Solution
               Damage & Defense…  cable/DSL “routers,” because they allow you to connect multiple com-
                   NAT is relatively easy to implement, and there are several ways to do so.
                   Many broadband hardware devices (cable and DSL modems) are called

                   puters. However, they are actually combination modem/NAT devices
                   rather than routers, because they require only one external (public) IP
                   address. You can also buy NAT devices that attach your basic cable or DSL
                   modem to the internal network. Alternatively, the computer that is
                   directly connected to a broadband modem can use NAT software to act
                   as the NAT device itself. This can be an add-on software program or the
                   NAT software that is built into some OSes. For example, Windows XP and
                   Vista include a fully configurable NAT as part of its Routing and Remote
                   Access services. Even older versions of Microsoft products such as
                   Windows 98SE, Me, and 2000 Professional include a “lite” version of NAT
                   called Internet Connection Sharing (ICS).
                        For a quick, illustrated explanation of how NAT works with a broad-
                   band connection, see the HomeNetHelp article at www.homenethelp.
                   com/web/explain/about-NAT.asp.

                    When NAT is used to hide internal IP addresses (see Figure 7.11), it is some-
                 times called a NAT firewall; however, do not let the word firewall give you a false
                 sense of security. NAT by itself solves only one piece of the security perimeter
                 puzzle.A true firewall does much more than link private IP addresses to public
                 ones, and vice versa.


                 Figure 7.11 NAT Hides the Internal Addresses

                           The NAT router has a routing table that keeps track of all connection
                           requests that originate from the internal network. The NAT router
                           modifies all outgoing packets, by replacing the internal client’s
                           IP address with its own IP address, and then forwards them to
                           their destination (or next hop). Returning packets are then   192.168.5.112
                           routed back to the correct internal client by using the routing table.
                                                                            192.168.5.157
                           Requests that originate from the Internet can be routed to the
                           correct internal client as long as a static mapping has been   Client
                           created in the NAT router’s table.
                                                                              Client

                                Internet
                                                          NAT Router
                                                                             Client
                                                        LAN:  192.168.5.1  192.168.5.149
                                                        WAN:  42.42.42.42

                                                                              www.syngress.com
   460   461   462   463   464   465   466   467   468   469   470