NAT (Network Address Translation) has been used for decades by network engineers to serve two primary purposes. First, it separates public addresses from private addresses, which allows for increased security. Addresses in the ranges of 192.168.x.x, 172.176.x.x and 10.x.x.x are private addresses. All other addresses 223.x.x.x and below are public addresses and must be registered. Private addresses are intended to be used by enterprise owners. NAT helps hide the enterprise structure from would-be hackers. Second, NAT conserves addresses. This is important because of the expansion of IoT devices. We need to understand NAT to see how these two objectives are met.
If you look at Figure 1, you’ll see a camera somewhere in the Internet with the public address w.x.y.z. It could be at the CEO’s home or overlooking a street or parking lot. The company’s firewall uses a public address a.b.c.d on its external interface. Within the enterprise, the camera monitor uses the private address 10.7.7.7. When a packet is sent from the camera to the monitor, it will be addressed to the firewall’s external interface. That is, it will go from source w.x.y.z to destination a.b.c.d. The firewall terminates this connection and creates a new connection between its internal interface 10.8.8.8 and the monitor at 10.7.7.7. In other words, the video packet traverses two separate connections, one between the camera and the firewall and one between the firewall and the monitor. This also allows the firewall to inspect the packet for potential threats. We say the firewall translated addresses.
Now, let’s turn to the second benefit of NAT, conserving addresses. Imagine that there are two cameras in the Internet using the addresses w.x.y.z and i.j.k.l. We could have the video flows going to two different monitors. Each camera’s video flow would travel through two distinct connections as previously described. However, at the firewall, different layer 4 port numbers would be used for the flows. Table 1 shows a sample table that a firewall might use to do this. Camera 1 sends packets from w.x.y.z to the firewall at a.b.c.d using port number 5023. These are forwarded to 10.8.8.8. Camera 2 would send its packets to a.b.c.d but would use the port number 5024. The firewall’s table would show that these packets need to be sent to monitor 10.9.9.9. Similar connections could be established for tens of thousands of devices on the outside which are sending to tens of thousands of devices on the inside. This is possible because there are over 64,000 available port numbers. All of this is accomplished using a single registered address on the external address of the firewall, a.b.c.d.
NAT is widely used but often not visible. It has become the default way to separate private networks from the Internet. Without it, we probably would never have been able to develop the Internet of Things.
Phil Hippensteel, PhD, teaches at Penn State Harrisburg. He is a regular contributor to AV Technology and Sound & Video Contractor.