Network address translation was developed to provide one public network address to many internal private network nodes. In the realm of network security this becomes a big part of layered security. Any nodes that are behind the network translation device is then easily hidden from everything else on public side of the network. For full disclosure, NAT in generic terms is a thrown around acronym for network address translation in combination with port address translation. A google search can give you some good information about the two in combination as that overview is outside the scope of this blog article.
Take for example a small business network with limited finances to put forward on network security. A network address translation solution is perfect for them as it requires minimal effort. Another assumption here is that the small business has a DSL or Cable modem as their primary mode of internet connection. It doesn’t have to be limited to it but makes the example easy to understand. Using only one consumer grade router (used loosely) that comes standard with network address translation, the business can place their publicly facing server directly connected to the ISP router. Any ports being forwarded to provide services can be done on the ISP router and makes for easy management. Then the second router in the environment has its uplink/isp port plugged into another LAN port on the same ISP router. Company desktops or laptops are then plugged into this second router and are invisible to the public facing server. As far as the server is concerned, all requests from the company users comes from the uplink address on the second router.
As a company grows they are then able to expand on this idea while still keeping things cheap for the company. Lets say the company has grown enough for them to have a sales department in addition to their developers. You wouldn’t want them on the same network as its best practice to keep everyone on their own subnet. With the purchase of just one more router, plugged into another LAN port on the ISP router, instantly provides another security boundary with its own network. Each network will be able to reach the servers plugged into the ISP router without easy access to the other network. Port forwarding could be put in place for any special needs but you need to practice good security setup and only allow through what is absolutely needed. There is a server on the shared network that can be used as the central hub for any cross-network functions.
Obviously if the company has hit the point of needing to expand even further than a different solution would be needed such as dedicated Cisco router and firewall put in place. One thing to also note is that by default each network may have the same addressing. 192.168.0.x would be the most common. As part of setup and easier troubleshooting, each add-on router should have its internal DHCP setup into a different scope. Example router 1 having internal addressing of 172.16.1.x and router 2 internal addressing of 172.16.2.x would work well.
The security aspect of the network visibility works in reverse as well. If for some reason the servers directly connected to the ISP router become compromised, they will have no easy way to see any of the user computers behind the router. Of course if the router you are putting users behind has a flaw to allow them GUI/TUI access then they could create a hop into the network or forward ports as needed. Either way the added layer of security provided for cheap makes for a great addition for small businesses.
No comments:
Post a Comment