Front cover - IBM Redbooks

ecoming increasingly difficult to achieve, because the number of available
address ranges is now severely limited. Also, many organizations have in the
past used locally assigned IP addresses, not expecting to require Internet
connectivity. NAT is defined in RFC1631.
The idea of NAT is based on the fact that only a small number of the hosts in a
private network are communicating outside of that network. If each host is
assigned an IP address from the official IP address pool only when the host
needs to communicate, then only a small number of official addresses are
required.
NAT modifies the IP address of an outgoing packet and dynamically translates it
to an externally routable address. NAT translation applies to the address in the
IP header only; IP data is not altered. For incoming packets, it translates the
external address to an internal address. From the point of view of two hosts that
exchange IP packets with each other, one in a secure, private network and one
in the non-secure external network, NAT looks like a standard IP router that
forwards IP packets between two network interfaces. So typically we employ
NAT wherever possible to hide details of the internal network’s private network
addressing.
It is important to note that only TCP and UDP packets are translated by NAT.
The Internet Control Message Protocol (ICMP) is used for messages and will not
operate in a NAT environment. For example, ping is an ICMP service; when you
ping a host from a non-NAT environment to a NAT environment, you will not get
an answer back because the IP address cannot be resolved.
There is another router function related to NAT called port address translation
(PAT). This allows a specific port coming from a host on one side of a router to
be represented as a different port and IP address on the other side of the router.
PAT is more commonly implemented as part of a session-layer firewall rather
than a network router.
VLANs
Virtual LANs (VLANs) are fairly recent (since around 1998) features incorporated
into the higher end switch products available. Their primary purpose is to provide
flexibility in partitioning switches into multiple LAN broadcast domains and to
facilitate spanning a broadcast domain across multiple switches. VLANs are
frequently used to improve network performance by grouping systems together
that rely on broadcast-intensive protocols such as NetBIOS and IPX. Properly
configured VLANs can be useful in security when they are used for separation
and isolation, and can eliminate the need for large numbers of smaller, dedicated
switches. They also have the advantage of not being limited to the boundaries of
a single switch, allowing the grouping criteria for systems not to be limited by
physical location. And another big advantage is being able to create multiple
Chapter 4. Security components and layers 125