Using Network Address Translation to Secure Your SOHO's Web Connection

For many small office/home offices (SOHOs), having multiple computers can alleviate some workload and help manage information flow. These same companies are finding that being connected to the Internet is becoming a business requirement and, therefore, many are anxious to connect all of their PCs to the Web. However, before you add multiple computers to your Internet connection, you need to be aware of several important issues concerning network addressing.

IP Addressing
IP addresses are the unique identifiers for computers attached to a TCP/IP network. An IP address is written as four sets of numbers separated by periods (e.g., 204.171.64.2). Three different types of IP addresses (class A, class B, and class C) classify all addresses by the number of machines that can reside in each address type. For example, a class A Internet address consists of an 8-bit network address (containing numbers from 1 to 126) and a 24-bit local, or host, address, providing 126 possible class A addresses and 16,777,216 possible host addresses. So, 126 class A networks can provide almost 17 million computers with IP addresses. A class B address consists of a 16-bit network address (the first set of eight numbers ranges from 128 to 191) and a 16-bit host address, providing 16,384 possible class B network addresses and 65,536 possible host addresses. A class C address consists of a 24-bit network address (the first set of eight numbers ranges from 192 to 223) and an 8-bit host address, providing 2,097,152 possible class C network addresses and 256 possible host addresses.

Each region of the world has an appointed IP address allocation authority that distributes IP addresses to ISPs and other large customers. The major problem with IP addressing these days is that the allocation authorities have already assigned most class A and class B addresses, which leaves class C as the only available address type, with a total number of available computer addresses of about 2,147,500,000. Complex routing requirements dictate that these allocation authorities must assign a whole class C network (256 addresses) to a client at a time, leaving ISPs responsible for assigning addresses to their customers. Although the number of addresses available seems large, with the rapid increase in Internet users, these addresses won't last long.

Because IP addresses are becoming scarce, most ISPs assign one address per customer. Most customers receive a dynamically assigned address every time they connect to their ISP’s network. Large businesses can afford to buy more addresses from either the ISP or the assigning authority, but for most SOHO users, the cost far outweighs the benefits. With only one IP address, a SOHO user can directly connect only one computer to the Internet at a time—unless the SOHO uses Network Address Translation (NAT), which lets one computer share a single address among multiple local computers and connects them all at the same time.

NAT Addressing
NAT works by translating an IP address used within one network to a different IP address known within another network. As a SOHO user, you designate one network as the internal network and the other as the external network. In most NAT implementations, you map your internal network addresses to one or more outside global IP addresses and remove the link to the global IP addresses on incoming packets returning to the internal network. (This procedure increases network security because each incoming or outgoing request must go through an identification and translation procedure that can authorize or determine the validity of a request, or match the request to a previous request. NAT gateways also can log traffic because all network activity coming from and going to the Internet must pass through a gateway. You can examine the log for information such as user traffic or destination traffic—another good way to ensure your internal network’s security.) NAT also saves on the number of global IP addresses that you need by using one IP address to communicate with the rest of the world.

NAT can ease your SOHO administrative headaches by helping you divide (compartmentalize) your network. The smaller parts advertise only one public IP address to the outside. You can add or remove computers or change their addresses without damaging routing on external networks. With inbound mapping and port filtering, you can move services such as Web and mail servers to different machines without making changes on external clients. Additionally, most NAT gateways operate on an IP packet-level to route your internal network, which increases your monitoring ability and security. You can divide the internal network that your NAT gateway serves into several separate subnetworks, which can further simplify network administration and let you connect more computers to your internal network.

In future columns, we'll look at specialized NAT devices that contain a DHCP server. Using DHCP, client computers can search for a DHCP server and receive their TCP/IP setup information automatically. If the DNS server address changes, for example, a SOHO administrator needs to make only one change at the DHCP server; all clients will automatically start using the new address the next time they contact the server.

NAT offers an easy and efficient way to let you use more computers to gain secure Internet access without having to wait for a major new IP addressing structure. Offering administrative flexibility and performance, NAT is quickly becoming the standard for shared access.