Network Address Translation (NAT)
A network address translation device obscures all details of the local network and hides the very existence of the local network. Figure 9.9 shows a network address translation device on the Internet. The NAT device serves as a gateway for computers on the local network to access the Internet. Behind the NAT device, the local network can use any network address space. The network does not have to use specially assigned Internet addresses because the local network is not even part of the Internet. The NAT device instead acts as a proxy for the local network on the Internet. When a local computer attempts to connect to an Internet resource, the NAT device makes the connection instead. Any packets received from the Internet resource are translated into the address scheme of the local network and forwarded to the local computer that initiated the connection.
A NAT device improves security because it can prevent an outside attacker from even finding out about the local network. To the outside world, the NAT device looks like a single host connected to the Internet. Even if an attacker knew the address of a computer on the local network, he would not be able to open a connection with the local network because the local addressing scheme is not contiguous with the Internet address space. A NAT device also reduces the number of Internet-compatible addresses required for an organization. Only the device itself must be accessible from the Internet. The economies of configuring fewer Internet addresses, coupled with the inherent security of a private network, make NAT devices extremely popular on both home and corporate networks.
By the Way
Security, of course, is often not what it seems. Even the seemingly foolproof security of a Network Address Translation device is susceptible to breach. NAT devices sometimes have special features for providing administrative access from the Internet, and those features can introduce vulnerabilities if they aren't locked down.
A NAT device is one form of what is called a proxy server. A proxy server is a computer that acts on behalf of other computers. The other computers can thus be isolated from the Internet. The proxy server assumes the role of communicating with the outside world and transmits any reply to the appropriate computer on the local network.