We often use NAT and VPN in an organization to access the remote network. Let's understand how they work actually.
What is NAT or Network Address Translation ?
Network Address Translation or NAT is a
method by which IP addresses are mapped from one group to another,
being transparent to the end users. NAT is usually used when a
network's internal IP addresses cannot be used outside the network
because of privacy reasons or because they are invalid outside the
network.
For example, many a times small offices
have multiple network nodes in the office, but they have a single IP
address assigned to the remote access router by the Internet Service
Provider. Using NAT, any network node in the network can access
remote networks simultaneously using the single IP address assigned
to the router.
In basic NAT, the IP addresses are
mapped from one group to the other. In NAPT, the multiple IP
addresses as well as their TCP/UDP ports are translated into a single
network address and its multiple TCP/UDP ports. These two mechanisms
are used together in a traditional NAT.
How does NAT work ?
In NAT, the IP addresses are translated
typically in the following manner :
- When an outgoing session is initiated from a private host, its private address is bound to the corresponding external address. In case of NAPT, the binding consists of a tuple of IP addresses and ports.
- After the binding, a soft state is maintained for each connection using the binding, using which incoming and outgoing network packets will be looked up and translated.
- For each incoming and outgoing network packet, the source IP, destination IP and checksum of the IP header is modified. For NAPT, the port addresses are also translated along with IP addresses and checksum.
- Checksum modification per packet basis may be very much computation intensive. So, an efficient algorithm is used for that purpose. It calculates the arithmetic difference between the before-translation and after-translation addresses and add that to the checksum.
- When the last session is terminated, the binding is also terminated.
What is VPN or Virtual Private Network ?
Using a Virtual
Private Network or VPN, a private network can extend across a public
network such as the internet in a secured way.
Normally, if a
private network wants to extend, there are two ways it can do so :
- Using a dial-up or leased line connection which creates a physical connection to a port on a remote access server. This solution is much expensive.
- Using a VPN, which creates an encrypted connection over the intermediate network such as the internet. Remote users can connect to remote computers using VPN, as if they are physically connected to the network.
How does VPN work ?
There are mainly
two types of VPN :
- Remote Access VPN
- Site-to-Site VPN
In Remote Access
VPN, a point-to-point connection is established between the user's
computer and the organization's server. The VPN Client on the user's
computer connects to the VPN gateway of the organization's network
and after proper authentication, a connection is established back to
the remote user's computer. The user can then access the internal
network resources as if the user's computer is connected to the
network locally. Remote Access VPN often uses IPSec or SSL to secure
the connection.
VPN often uses
tunneling mechanism to transfer data in a secured way. In tunneling,
a network packet is encapsulated and added with another header and
sent across. The encapsulated packet travels through the network and
after reaching the destination network, the packet is decapsulated
and the payload is transferred to the final destination. The network
packets are also encrypted to ensure security.
Several
protocols can be used for tunneling. For example, a VPN can use
Point-to-Point Protocol or PPTP, Layer 2 Tunneling Protocol or L2TP
or Secure Socket Tunneling Protocol or SSTP running across the base
IPSec connection.
On the other
hand, a Site-to-Site VPN uses a gateway device to connect the entire
network from one location to the other. In this case, the gateway
handles the VPN connections, so end-node does not need VPN Clients.
Most of the
Site-to-Site VPNs use IPSec. But, they can also use Multiprotocol
Label Switching or MPLS to create VPNs.
Security and Privacy of VPN
VPN cannot make
online connections anonymous, but they can enhance privacy and
security in the following manner :
- It uses encryption technique to encrypt the network packets, so that if an attacker sniffs the packets, he can only see the encrypted data.
- It uses authentication to prevent unauthorized users from accessing the VPN.
- It provides message integrity to detect modification of transmitted data.
So, this article
gives some basic information on NAT and VPN. Hope you liked it.
Read More
PPTP vs L2TP vs OpenVPN vs SSTP vs IKEv2 VPN - How are they different from each other ?
What is SSL VPN and how is it different from IPSec VPN ?
What is IPSec ?
How does IPSec protocol work ?
How do Proxy Servers work ?
How does Tor work and how does it help in anonymous browsing ?
What is PGP or Pretty Good Privacy ?
How does Full Disk Encryption protect us from data theft ?
Infographic : How to encrypt and decrypt files using PGP ?
Read More
PPTP vs L2TP vs OpenVPN vs SSTP vs IKEv2 VPN - How are they different from each other ?
What is SSL VPN and how is it different from IPSec VPN ?
What is IPSec ?
How does IPSec protocol work ?
How do Proxy Servers work ?
How does Tor work and how does it help in anonymous browsing ?
What is PGP or Pretty Good Privacy ?
How does Full Disk Encryption protect us from data theft ?
Infographic : How to encrypt and decrypt files using PGP ?
I learn something today
ReplyDelete