NAT and Configuration Management

Video Activity

In this lesson, you will cover NAT (network address translation) and its subset: PAT (port address translation). The idea is that your local area network is hidden behind a firewall or some other screening device, and then is connected out to the internet (which poses quite a threat to our internal environment). We need to make sure we have multipl...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
3 hours 54 minutes
Difficulty
Advanced
CEU/CPE
4
Video Description

In this lesson, you will cover NAT (network address translation) and its subset: PAT (port address translation). The idea is that your local area network is hidden behind a firewall or some other screening device, and then is connected out to the internet (which poses quite a threat to our internal environment). We need to make sure we have multiple layers of defense in protecting our internal network from the external network. Originally NAT was a one-to-one mapping; for every internal host that you had, you would have an external IP address. Important facts about NAT/PAT:

  • It is a proxy that works without special software and is transparent to the end users
  • It will remap IP addresses, allowing you to use private addresses internally and map them to public IP addresses
  • NAT allows multiple private addresses to share one public address

The problem with NAT by itself is; for every internal host, you will need the same number of external interfaces. Nat has a subset: PAT, which allows you to have one public interface and numerous internal hosts. Ultimately what NAT does is; it intercepts traffic, strips the source address from the traffic and replaces it with its own external IP address as the source. The lesson will close with a discussion on configuration management. - It's defined by ISC2 as "a process of identifying and documenting hardware components, software, and the associated settings."

  • The goal is to move beyond the original design to a hardened, operationally sound configuration
  • Identifying, controlling, accounting for and auditing changes made to the baseline TCB
  • Will control changes and test documentation through the operational life cycle of a system
  • Implemented hand in hand with change control
  • Essential to disaster recovery
Video Transcription
00:04
okay. Another idea that frequently is associated with separation. Trusted untrusted is Nat, and then it's subset, which is path so network address, translation and port address. Translation.
00:20
So the idea is my local area network is hidden behind a firewall or some other screening device and then is connected out to the Internet.
00:29
And like we said, the Internet really, really poses quite a threat to our internal environment. So we want to make sure that we have multiple layers of defense in protecting our internal network from the external network. And that's one of the things that network address translation was really designed to do.
00:47
So originally, that was what I refer to is a 1 to 1 mapping meaning for every internal host would have. You would have an external IP address so I might have a host on the 10 whose I P addresses 10 111
01:03
And then I would have an external interface on my NAT Device router. Whatever, Um, that's a public address. And if you're not familiar with the fact that there are several reserved I P addresses for internal private use, that's one of the things that naturally allows just quickly.
01:23
Anything in the 10 network,
01:26
anything on the 192168 network and then also, there's a range in the 17 to network from 172.16 through 17 to 31. Those ranges air set aside for internal use. And that's a security benefit as well, because that would
01:46
help us easily identify internal traffic from external traffic.
01:51
That those address range is being set aside for internal use on Lee Internet routers will brought packets with that source, your destination. So that gives us, ah, security benefit. So what Nan originally did would allow me to have one
02:06
private in turn like he addressed from those ranges. And then I would have an external address
02:12
connected to the public Internet, and that would be a means of hiding my internal life. He addressing scheme.
02:17
But the problem with Nat by itself is if I have five internal host, I need five. External interface is so
02:25
so. Nan actually has a subset called Pat
02:30
Port address Translation, And that's what allows me to have one public interface and numerous or many internal hosts that many to one mapping so ultimately what Nat does is it intercepts traffic strips the source address from the traffic
02:46
and replaces it with its own external
02:51
i p address as the source. So ultimately, everything looks like it's coming from the Nat Device, and it doesn't reveal any information about my internal life addressing scheme. So that's certainly a security mechanism that we would have on our connective ity devices. Many firewalls offer meant routers off Burnett, Nat,
03:10
um,
03:10
proxy servers as well, Very healthy.
03:14
Now, the last thing that will talk about here on this section is configuration management and configuration. Management is a very important part of securing the organization and creating environment of stability
03:29
and ultimately, with configuration management, what we're gonna do is we're gonna document our hardware and software, and we're gonna control any changes to those elements. Okay, So what that means is those main elements of a system the process or the bios
03:49
RAM
03:50
operating system Colonel, these air things that when we get this equipment delivered, we document what it is is delivered, and then any changes we make to that baseline configuration is so ultimately if we go through a series of steps too hard in the system.
04:08
We make sure that that those changes get documented
04:12
and we make sure that no changes get made to a system without following a proper change control procedure. We do know changes on the fly. We don't just make a quick modification because it's not a big deal. We always follow the process,
04:30
and that process has changed control,
04:32
which is part of our configuration management process as a whole. You know, the bottom line is, if we allow users to make changes on the fly, they will and, you know, think about maybe a, uh,
04:46
a patch to close up of vulnerability in an operating system.
04:51
You know, if we allow our users just to go down, go out and download whatever patches they think are worth pulling down and then installing those other systems that will wreak havoc on their systems and honor network environment. If we allow users to install applications,
05:11
you think about how many
05:13
um, elements of malicious code are spread by users downloading files, installing them right configuration management says
05:20
any controls to the baseline security settings of a system must go through rigorous process for change control and must be well documented
05:32
configuration management also very important in business continuity and disaster recovery.
05:39
Because ultimately what we're gonna look at is restoring operations to the state that that that the operations were before the disaster.
05:46
If I don't know what that state wasif, I don't have the documentation that I'm not gonna be able to do so. So the primary purpose of configuration management is system and environmental stability very important in the security around.
Up Next
Chief Information Security Officer (CISO)

In this CISO certification training, you will learn what other CISO's are focusing their time and attention on. Among the key topics, you will learn how to implement the proven best practices that make for successful cyber security leadership.

Instructed By