Network Perimeter Security
your network and external networks, we consider the use of address translation
mechanisms and fi rewalls.
Network address translation, or NAT, is the mapping of IP addresses from one
realm to another. Typically this is between public and private IP address space.
Private IP address space is the set of IETF-defi ned private address spaces (RFC 1918):
■ Class A 10.x.x.x 10/8 prefi x
■ Class B 172.16.x.x 172.16/12 prefi x
■ Class C 192.168.x.x 192.168/16 prefi x
NAT is used to create bindings between addresses, such as one-to-one address
binding (static NAT); one-to-many address binding (dynamic NAT); and address
and port bindings (network address port translation, or NAPT).
While NAT was developed to address the issues of address space exhaustion,
it was quickly adopted as a mechanism to enhance security at external interfaces.
Routes to private IP address spaces are not propagated within the Internet; therefore,
the use of private IP addresses hides the internal addressing structure of a
network from the outside.
The security architecture should consider a combination of static and dynamic
NAT and NAPT, based on the devices that are being protected. For example, static
NAT is often used for bindings to multiple-user devices such as servers or high-end
computing devices, while dynamic NAT is used with generic computing devices.
Firewalls are combinations of one or more security mechanisms, implemented
in network devices (routers) placed at strategic locations within a network.
Firewalls can be fi ltering gateways, application proxies with fi ltering gateways, or
devices running specialized “ fi rewall ” software.
