Friday, May 13, 2016

How do NAT and VPN work ?

If not redirected, please click here

We often use NAT and VPN in an organization to access the remote network. Let's understand how they work actually.

What is NAT or Network Address Translation ?

Network Address Translation or NAT is a method by which IP addresses are mapped from one group to another, being transparent to the end users. NAT is usually used when a network's internal IP addresses cannot be used outside the network because of privacy reasons or because they are invalid outside the network.

For example, many a times small offices have multiple network nodes in the office, but they have a single IP address assigned to the remote access router by the Internet Service Provider. Using NAT, any network node in the network can access remote networks simultaneously using the single IP address assigned to the router.

In basic NAT, the IP addresses are mapped from one group to the other. In NAPT, the multiple IP addresses as well as their TCP/UDP ports are translated into a single network address and its multiple TCP/UDP ports. These two mechanisms are used together in a traditional NAT.

How does NAT work ?

In NAT, the IP addresses are translated typically in the following manner :

  • When an outgoing session is initiated from a private host, its private address is bound to the corresponding external address. In case of NAPT, the binding consists of a tuple of IP addresses and ports.
  • After the binding, a soft state is maintained for each connection using the binding, using which incoming and outgoing network packets will be looked up and translated.
  • For each incoming and outgoing network packet, the source IP, destination IP and checksum of the IP header is modified. For NAPT, the port addresses are also translated along with IP addresses and checksum.
  • Checksum modification per packet basis may be very much computation intensive. So, an efficient algorithm is used for that purpose. It calculates the arithmetic difference between the before-translation and after-translation addresses and add that to the checksum.
  • When the last session is terminated, the binding is also terminated.

What is VPN or Virtual Private Network ?

Using a Virtual Private Network or VPN, a private network can extend across a public network such as the internet in a secured way.

Normally, if a private network wants to extend, there are two ways it can do so :

  • Using a dial-up or leased line connection which creates a physical connection to a port on a remote access server. This solution is much expensive.
  • Using a VPN, which creates an encrypted connection over the intermediate network such as the internet. Remote users can connect to remote computers using VPN, as if they are physically connected to the network.

How does VPN work ?

There are mainly two types of VPN :

  • Remote Access VPN
  • Site-to-Site VPN

In Remote Access VPN, a point-to-point connection is established between the user's computer and the organization's server. The VPN Client on the user's computer connects to the VPN gateway of the organization's network and after proper authentication, a connection is established back to the remote user's computer. The user can then access the internal network resources as if the user's computer is connected to the network locally. Remote Access VPN often uses IPSec or SSL to secure the connection.

VPN often uses tunneling mechanism to transfer data in a secured way. In tunneling, a network packet is encapsulated and added with another header and sent across. The encapsulated packet travels through the network and after reaching the destination network, the packet is decapsulated and the payload is transferred to the final destination. The network packets are also encrypted to ensure security.

Several protocols can be used for tunneling. For example, a VPN can use Point-to-Point Protocol or PPTP, Layer 2 Tunneling Protocol or L2TP or Secure Socket Tunneling Protocol or SSTP running across the base IPSec connection.

On the other hand, a Site-to-Site VPN uses a gateway device to connect the entire network from one location to the other. In this case, the gateway handles the VPN connections, so end-node does not need VPN Clients.

Most of the Site-to-Site VPNs use IPSec. But, they can also use Multiprotocol Label Switching or MPLS to create VPNs.

Security and Privacy of VPN

VPN cannot make online connections anonymous, but they can enhance privacy and security in the following manner :

  • It uses encryption technique to encrypt the network packets, so that if an attacker sniffs the packets, he can only see the encrypted data.
  • It uses authentication to prevent unauthorized users from accessing the VPN.
  • It provides message integrity to detect modification of transmitted data.

1 comment: