Symantec™ Security Gateways Reference Guide - Sawmill

Preventing attacksAnti-spam measures125Network address translationNetwork Address Translation (NAT) establishes a relationship between the real IP address of a packet, anda translated IP address. This is commonly done to translate packets on non-routable networks into routablepackets for travel across public networks, or to mask externally-sourced packets and make them appear asinternally-sourced. NAT provides a method of guaranteeing that return traffic is routed back to theappropriate security gateway.Understanding NATNAT is most often used for true address hiding and to alleviate the IPv4 address shortage. NAT partitionsand controls network traffic. NAT is also used when connections to protected resources must originatefrom a specific network. For example, a secure Telnet server on a protected network may only allowconnections that originate from that protected network; the connection is denied for anyone elseattempting to use the service. Using NAT, the security gateway changes the source address of an externalrequest to a protected network IP address. The internal server allows the translated connection, believingthe connection originated internally.NAT pools establish a range of one or more IP addresses used in address translation. Typically, addresses inthese pools are part of the existing protected network. For example, if the protected network was192.168.1.x, and the first 50 addresses were in use by hosts on that network, a NAT pool could be createdthat starts at 192.168.1.51. This pool could be as large as the remaining number unused addresses.Warning: Never assign addresses to a NAT pool if they are already in use by a host. This causes networkfailure.The security gateway can translate source addresses for transmitted packets and destination addresses forreceived packets. NAT substitutes the source IP address (src != src’) of incoming packets with one from theassigned pool. The security gateway maintains a table of the pairings so that return traffic is switched backto the original IP address. As return packets arrive, the security gateway consults the table and switchesthe destination address (dst != dst’) to match the original incoming source address.NAT addresses do not time-out. As long as the connection is active, the client owns the allocated address.VPN connections are handled the same way; the NAT address supplied to the VPN connection does not timeout. However, tunnels themselves can time-out due to inactivity or maximum connection time limits. Whenthis happens, the connection is dropped, and the NAT address is released back to the pool.Note: You must pass traffic to the proxies to NAT.Anti-spam measuresNAT is applied statically on a client-by-client basis. Individual addresses are always assigned when aspecific connection request arrives. This is commonly used when routing requires the use of NAT andclients that connect need to be distinguished from other similar clients.For example, assume you have a Web server on a protected network that only accepts connections fromother hosts on the same network. Let’s also say that you want to grant access to the Web server to severalpartner companies. You could create several NAT address transforms, one for each company. Wheneveranyone from a company connects, they’re always assigned the same IP address. By doing this, you couldlook locally to see which addresses are in use, and understand what companies are currently connected.The security gateway includes several features that help control the receipt of unsolicited email, oftenreferred to as spam. Spam email generally arrives in the form of bulk email, improperly formatted SMTPtraffic, emails with specific subjects, or from locations known to facilitate spam (open relays). Fororganizations, dealing with spam is expensive because it places an undue burden on network resources andeats into your employee’s productive work hours.