NAT's the way

You may have come across the acronym NAT in the course of your networking travels. It stands for network address translation and describes a useful networking technology - so good, in fact, that almost all shared Internet connections employ it.

Put simply, NAT allows a network of PCs to access the Internet via a single IP address. Why should we need this? Surely there are enough IP addresses to go round?

More IPs please

Theoretically there are (count 'em) 4,294,967,296 unique IP addresses. The actual number available is somewhat smaller at about 3.3 billion, thanks to the way the addresses are separated into classes and because some are set aside for testing or other special uses. It sounds a lot, but it isn't enough.

The long-term solution to this is to redesign the format to allow for more possible variations. This is currently being developed (it's called IPv6), but will take several years to implement.

In the meantime we use NAT, as laid down in the RFC 1631 document. Network address translation allows a single device, such as a router, to act as an agent between the Internet and a local or private network. This means that only one IP address is required for a group of computers - see this screen shot.

NAT can be provided either by hardware (a router) or software (a proxy server). Either way, it hides your internal IP addresses from the outside world. With NAT you use a range of private IP addresses on your LAN (local area network). These are private in that there are no computers connected to the Internet with an IP address in that range. So long as they're not directly connected to the Web or each other, many thousands of computers around the world can have identical IP addresses.

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private local networks:

• -
• -
• -

Also, IP addresses to are reserved for automatic private IP addressing.

Back of the 'net

Another benefit of NAT is apparent in network administration. For example, you can move your Web server (or server) to another host PC without having to worry about broken links. You simply change the inbound mapping at the router to reflect the new host. Making changes to your internal network is also easy, because the only external IP address either belongs to the router or comes from a pool of global addresses.

NAT and DHCP (dynamic host configuration protocol) work well together, too. You can choose a range of unregistered IP addresses for your private network and have the DHCP server dole them out as necessary.

It also makes it much easier to scale up your network when you want. You can just increase the range of available IP addresses configured in DHCP to immediately have room for additional computers.

Monkey business

NAT is devilishly clever. It monkeys about with each packet of data it receives from or sends to the Internet - on the fly. It substitutes a globally-registered IP address into the source IP address as part of a message leaving the private network. It then restores the private address into the destination part of a reply message entering the private network.

So, when data is requested by a workstation, a NAT router will automatically doctor the incoming packets, removing the public IP address from them and substituting the correct private code for that workstation. If you think about it, that's a pretty nifty juggling trick.

Safe and sound

As well as greatly simplifying Internet access, NAT brings a bonus in the shape of added security. It automatically provides firewall-style protection. That's because it only allows connections that originate on the inside of the network.

This means, for example, that an internal client can connect to an outside FTP server, but an external client will not be able to connect to an internal server because it would have to originate the connection. NAT won't allow that. It's harder to attack hosts when you can't reach them. No inbound connections are allowed through the NAT translator unless it is specifically configured for them. This makes NAT routers into cost-effective low-end firewalls, though most routers now come with built-in hardware firewalls, too - see here.

Only the router has a single "public" IP address and so it, or a proxy server, has the job of working out which incoming packet belongs to which workstation. As a result, the only IP address intruders can see is the port on the NAT device that connects you to the Internet. And what's attached to that address is a simple router and not a PC, which makes it just that little bit harder to hack. If the router does have password protection, it's essential to use it to deter intruders.

NAT is not totally impervious to external attack either: there are several tools - called IP spoofers - that can deduce internal "private" addresses and present themselves as local users. A simple NAT device can't keep hackers from running DoS (denial of service) attacks on you, but individuals rarely get attacked like that. It will keep out people looking for file shares, rogue mail servers and Web servers. You're even protected from most port-based exploits.

With a NAT device and a good antivirus program, you should be safe from most Internet attacks. However, most modern routers these days include an advanced firewall that does "stateful packet inspection" or SPI.

This allows the NAT devices to filter out specific kinds of data such as SYN flood attacks, IP Spoofing, Teardrop attacks and others. SPI is a general term that can describe a router that filters more kinds of attacks than basic NAT, by closely examining packet data structures.

Hosting problems

NAT can cause headaches if you want to host a Web server. It will prevent any workstation on the Internet connecting to a Web (or FTP) server on your network that's got a private IP address. Luckily, there's a way around this. Most NAT devices allow you to create mapped links between the Internet and your LAN, a technique called port forwarding.

So in the case of a Web server you simply tell your router to forward all requests that come in on port 80 on its public IP address to port 80 of the private IP address of the server. In the case of an FTP server, you'd forward port 21 and so on.

Personally, I use Small Business Server 2003's Remote Web Workplace. For this to work, it requires about half a dozen ports to be forwarded at the router.