Support for Network Address Translation (NAT) is an essential feature in many of today's Internet security products. The Internet Engineering Task Force (IETF) Request for Comments (RFC) 1631 defines NAT. It is a set of standards that lets an Internet-connected host act as an Internet gateway for internal LAN clients by translating the clients' internal network IP addresses into the appropriate address on the NAT-enabled gateway device. NAT technology protects internal client IP addresses and makes them inaccessible to Internet hosts, providing a high level of security. In addition, NAT reduces IP address procurement costs because you only need the single routable Internet address on the NAT device. NAT is also transparent: The internal network clients don't require special software or configuration to establish Internet connections; they just need to ensure that the NAT device is the default gateway to the Internet. These benefits have made NAT support a standard feature on all Internet gateway devices.
Microsoft Internet Security and Acceleration (ISA) Server's NAT implementation is SecureNAT. This product provides the security and client-transparency benefits of traditional NAT support as well as functionality that further augments ISA Server's security. Many NAT implementations provide no means of controlling or limiting Internet access for specific machines or traffic types. SecureNAT lets you control all traffic that passes through the ISA Server system. So, you can control Internet sessions from clients—even clients without client firewalls—via session attributes, such as the source or destination IP address or the protocol type in use. In addition, because ISA Server is the Internet gateway and enforces the security policies that you've defined, SecureNAT ensures that clients can't bypass security policies.
NAT is a standard feature of Windows 2000 Server's Routing and Remote Access Service (RRAS) and Win2K Professional's Internet Connection Sharing (ICS) component. (For more information about Win2K's NAT and ICS features, see "Windows 2000's Network Address Translation.") However, SecureNAT contains a superset of the NAT features found in RRAS and ICS. So, if NAT is installed or ICS is enabled for any network connection, remove it before installing ISA Server to prevent conflicts.
Several protocols and applications can't work through a NAT implementation, such as some game protocols and those that embed client IP addresses within their packets. Also, if you need to use Security Accounts Manager (SAM) or Active Directory (AD)-based users or groups to secure Internet access, SecureNAT can't help you. You must install the included firewall client software (e.g., Proxy Server's Winsock client) on each client.
End of Article
The RFC mentioned is incorrect. It should be RFC1631 (SNTP) instead of RFC1361 (NAT!).
Thanx.
Hendrik Walda October 10, 2000
I'm sorry, but Hendrik's comment may have doubly-confused readers -
RFC 1361 - Simple Network Time Protocol (SNTP) RFC 1631 - The IP Network Address Translator (NAT)
Where to go? Try this link: http://www.faqs.org/rfcs/
Art Johnston August 27, 2002
Useful and helpful. A typo in the RFC but that has been pounced on, so we don't need to go there. Overall a good article.
Anonymous User December 06, 2004 (Article Rating: )
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Implement a Successful Archiving Solution View this web seminar to learn the best practices for creating an email archive that is secure, compliant, and searchable.
Protect Your Company’s Digital Assets Do you know the risks of sending important files over email or FTP? Read this white paper to learn what you can do to safeguard your company’s data.
Prepare Yourself for Exchange Catastrophe Read this white paper to learn how you can keep Exchange server healthy, as well as predict and respond to server failure.
Boost Customer Confidence and Satisfaction Read this eBook to learn how faxing can ease communication with less computer-savvy customers while reducing your security, compliance and support woes.
)
Register
Thanx.
Hendrik Walda October 10, 2000