The English full name of NAT is network address translation, which is called network address translation. This is an IETF standard, which allows an organization to display an address on the Internet. NAT translates the address of each LAN node into an IP address, and vice versa. It can also be used in firewall technology to hide a single IP address from the outside world, so that the outside world can not directly access internal network devices. At the same time, it is also helpful for the network to go beyond the address limit and reasonably arrange the use of public network addresses and private network IP addresses in the network. Second, the basic principle and type of NAT technology 1, the basic principle of NAT technology NAT technology can help solve the headache problem of IP address shortage, and can isolate the internal and external networks and provide certain network security. The solution is to use the internal address in the internal network, and translate the internal address into a legal IP address through NAT for use on the Internet. The specific method is to replace the address field in the IP packet with a legal IP address. NAT functions are usually integrated in routers, firewalls, ISDN routers or separate NAT devices. NAT devices maintain a state table and map illegal IP addresses to legal IP addresses. Each packet is translated into the correct IP address in the NAT device and sent to the next level, which means a certain burden to the processor. But for the general network, this burden can be ignored. 2. There are three types of NAT technology (static NAT, dynamic address NAT and network address port translation NAPT). Among them, static NAT is the simplest and easiest to set, and each host in the intranet is permanently mapped to a legal address in the external network. Dynamic address NAT defines a series of legal addresses in the external network and maps them to the internal network through dynamic allocation. NAPT maps internal addresses to different ports of external network IP addresses. According to different requirements, the three NAT schemes have their own advantages and disadvantages. Dynamic address NAT only translates IP addresses. It assigns a temporary external IP address to each internal IP address, which is mainly used for dialing. Dynamic NAT can also be used for frequent remote connections. When the remote user connects, the dynamic address NAT will assign him an IP address, and when the user disconnects, this IP address will be released for future use. Napt (Network Address Port Translation) is a common translation method. NAPT is widely used in access devices, which can hide small and medium-sized networks behind legitimate IP addresses. Unlike dynamic address NAT, NAPT maps internal connections to a single IP address in the external network and adds the TCP port number selected by the NAT device to this address. When using NAPT on the Internet, all different TCP and UDP information flows seem to come from the same IP address. This advantage is very practical in a small office. By applying for an IP address from an ISP, you can connect multiple connections to the Internet through NAPT. In fact, many SOHO remote access devices support dynamic IP addresses based on PPP. In this way, ISP can use one external IP address for multiple internal IP addresses, and even does not support NAPT. Although this will lead to certain channel congestion, it is worthwhile to use NAPT in consideration of saving ISP's internet access fee and facilitating management. Third, using NAT technology in the Internet NAT technology allows all the machines in your local network to go out through a server line leading to the Internet, and only need to register the IP of one server. Before the appearance of NAT technology, we must install sockd on the server, and all clients must support sockd to connect through the server's sockd. The biggest problem with this method is that usually only telnet/ftp/www-browser supports sockd, and other programs cannot be used. And the speed of using sockd is a little slower. Therefore, we use NAT technology for network address translation, so that the client does not need to make any changes, only needs to set up a gateway on the server, and all programs (such as kali/kahn, etc. ) can be used. The simplest NAT device has two network connections: one is connected to the Internet, and the other is connected to a private network. Hosts using private IP addresses in private networks (sometimes called network 10 addresses, which are reserved for private use starting from 10.0.0) connect to the Internet by sending packets directly to NAT devices. Different from ordinary routers, NAT devices actually modify the packet header, changing the source address of the private network to the NAT device's own Internet address, while ordinary routers only read the source address and destination address, and then forward the packet to the destination. 4. Security strategy of applying NAT technology 1. Security problems of applying NAT technology When using NAT, it seems that the hosts on the Internet communicate directly with NAT devices, rather than with the actual hosts in the private network. The incoming data packet is sent to the IP address of the NAT device, and the NAT device changes the destination header address from its own Internet address to the private network address of the real destination host. Therefore, in theory, behind a globally unique IP address, hundreds, thousands or even millions of hosts with private addresses can be connected. However, this is actually flawed. For example, many Internet protocols and applications rely on a true end-to-end network, in which data packets are sent from a source address to a destination address without modification. For example, the IP security architecture cannot be used across NAT devices because the original header containing the original IP source address is digitally signed. If the source address changes, the digital signature will no longer be valid. NAT also brings us management challenges. Although NAT is a good solution for organizations, branches or departments that lack sufficient global unique Internet addresses, it will become a serious problem when two or more private networks need to be integrated for reorganization, merger or acquisition. Even in the case of stable organizational structure, NAT systems cannot be nested in multiple layers, thus causing routing nightmares. 2. Application of NAT technology security strategy When we change the IP address of the network, we should carefully consider what impact this will bring to the existing security mechanism in the network. For example, the firewall decides whether to let the packet pass according to the information such as TCP port number, destination address and source address contained in the IP header. Firewall filtering rules can be changed according to the location of NAT devices, because NAT will change the source address or destination address. If a NAT device (such as an internal router) is located at the end protected by a firewall, all security rules that control the network traffic behind the NAT device must be changed. In many networks, NAT mechanism is implemented on the firewall. Its purpose is to enable the firewall to provide dual control functions of network access and address translation. Don't put NAT devices outside the firewall unless you can strictly define which network connection can be NAT-translated. Any naughty hacker who can make NAT think that his connection request is allowed can access your network as an authorized user. If enterprises are moving towards the forefront of network technology and are using IP Security Protocol (IPSec) to build a virtual private network (VPN), misplacing NAT devices will ruin this plan. In principle, NAT devices should be placed at the protected end of VPN, because NAT needs to change the address field in the IP header, but the address field in the IPSec header cannot be changed, so as to know exactly which workstation the original message was sent from. If the IP address is changed, the security mechanism of IPSec will be invalid, because the source address can be changed, not to mention the message content. Then the following strategies should be adopted for NAT technology in the system: ① Network address translation module NAT technology module is the core part of the system, and only this module is related to the network layer. Therefore, this part should be closely combined with the network layer processing part of Unix system itself, or directly modified. This module can be further subdivided into packet switching submodule, packet header replacement submodule, rule processing submodule, connection record submodule, real address allocation submodule and transport layer filtering submodule. ② Centralized access control module Centralized access control module can be further subdivided into request authentication submodule and connection relay submodule. The sub-module of requesting authentication is mainly responsible for exchanging all kinds of authentication information with the authentication access control system through a trusted security mechanism, identifying legitimate users, and determining the subsequent connection form according to the authority given to users in advance. The main function of the connection relay sub-module is to establish the final relay-free connection channel for users, and transmit the authenticated user identity information to the internal server when necessary, so as to complete the authentication process required in the relevant service agreements. ③ Temporary access port table In order to distinguish the service objects of data packets and prevent attackers from unauthorized use of the connection initiated by the internal host, the gateway registers the temporary port, protocol type and internal host address used by the internal host in the temporary port use table. Because the gateway does not know the temporary ports that the internal host may use, the temporary port usage table is dynamically generated by the gateway according to the received data packets. For incoming packets, the firewall only allows packets allowed by the access control list or packets registered by the temporary port. ④ Authentication and access control system Authentication and access control system includes user authentication module and access control module to realize user identity authentication and security policy control.