NAT is originally thought of as a solution to combat the depletion of IPv4 announced by ICANN in 2011. Many years ago when IP addressing first came out, lots of people thought that IPv4 would provide more than enough IP addresses to cover every device connected to the Internet. But with the growth of the Internet, over 4 billion network addresses provided by IPv4 have run out and there are no more sufficient addresses for such a huge quantity of Internet users, which is why NAT came out as a solution and received much attention from worldwide Internet service providers. In this post, we're about to explore what NAT is and what NAT firewalls can do to maintain network security.
NAT (Network Address Translation) is the process of changing one or more local private IP addresses into a global public IP address, through which multiple local devices and hosts can be allowed to access the Internet. NAT works on a router or firewall to protect private networks. All the devices in the local network have different private IP addresses, while the public IP address they are using can be the same one. Generally, if you google "what's my IP", you will find the exact public IP address that your local hosts use.
There are countless data packets sent back and forth each time you make a request on the Internet. NAT firewalls are used to ensure local network security and protect the data on your local devices. When a data packet traverses outside the Internal network, NAT firewalls will convert that private IP address into a public IP address. When the data packet from outside network is sent back, the NAT firewall will block out unwanted or malicious data to prevent hackers from sneaking into your local network through unauthorized connections.
Table of Contents
For large-scale Internet application scenarios, such as operator IP metropolitan area network and mobile network, with large-scale users, high-density concurrent access and high sensitivity to the quality of bandwidth, higher performance of NAT equipment will be required.
FS NSG series firewalls support multi-core hardware platforms. With 64-bit fully parallel operating systems, they can realize computing distributed processing, improving the overall processing performance. In the aspect of software, the NSG series firewalls use unified detection technology to conduct parallel processing to reduce delay and enhance efficiency.
Combined with the above technologies, the network address translation of NSG series firewalls can still provide maximum 10Gbps throughput, 170,000 new concurrencies and 6 million maximum concurrency processing capability, to satisfy the requirements of mass access.
How to properly monitor users' online behaviors is a common concern, for which NAT is expected by many Internet service providers to provide accurate monitoring methods to ensure safe and reliable Internet access services. However, the use of dynamic ports and traditional five-tuple-based access control makes it rather difficult to identify applications and carry out effective monitoring.
FS NSG series firewalls support cross-detection. They can accurately identify the most commonly used applications by conducting effective analysis of their characteristics, user behaviors, and other related information, and additionally take various monitoring methods to achieve precise access control, including:
Based on the access control of the applications, the firewalls can monitor user behaviors and block out illegal requests.
The firewalls support application-based QoS, which can further improve the accuracy of bandwidth management while limiting the bandwidth of each access user.
For Internet service providers with high-security requirements, FS NSG series firewalls can accurately identify applications and carry out in-depth detection of data packets to block illegal or malicious data, which significantly improves the efficiency and accuracy of attack detection.
The URL filtering of FS NSG series firewalls can prevent users from accessing illegal websites. Moreover, they can filter and record illegal content which is uploaded or downloaded by the access users.
Internet operations often feature with multi-link, large concurrency, heavy load, and complex application types. To overcome those challenges, FS NSG series firewalls integrate various technologies to provide solutions for intelligent link selection and load balancing, including:
Based on the routing of the users/applications, NSG series firewalls can divert specific applications to specific links, so as to achieve a reasonable load balancing and scientific use of links.
FS firewalls support time-based strategic routing. Usually, company-based access users frequently surf the Internet during the day, while residential users frequently surf at night. If they take different links, all the links can not be reasonably used. FS NSG series firewalls can balance the load all day and night to make sure the links can be sufficiently and scientifically used.
FS firewalls support intelligent and dynamic link switching. They can detect a link failure and divert the load to other links, so as to make sure Internet users have fluent access.
FS firewalls can intelligently analyze the loading and bandwidth of different links, and conduct reasonable load balancing.
The capability of NAT is limited. Once the number of access exceeds the capacity, the system will be unable to process and then discard those data packets. The concurrency of a single application is getting higher and higher, which requests a larger capacity of NAT.
The unique port multiplexing of FS NSG series firewalls increases the number of concurrent sessions that can be NAT with a single IP address by a maximum of 16 times, greatly releasing the blocking of access due to limited address resources. In addition, FS NSG series firewalls have session restriction functions, which can limit the number of sessions of each access user, thereby preventing too many abnormal sessions from occupying NAT capacity and affecting others' access to the Internet.
As a solution to the exhaustion of IPv4 address resources, IPv6 has received much development in recent years. Some Internet providers and universities have built related networks with IPv6. However, it is undeniable the transition from IPv4 to IPv6 must be a gradual process. Therefore, those critical equipment supporting the IPv4 protocol like routers and firewalls needs to provide excellent IPv6 transition solutions.
Technologies provided by FS NSG series firewalls, including IPv6/IPv4 dual-stack, IPv6 in IPv4 tunnel, IPv4 in IPv6 tunnel (DS-Lite), DNS64 and NAT64, can ensure data security during the transition between two protocols and provide comprehensive solutions for the transition from IPv4 to IPv6.
FS has launched the NSG series firewalls which can meet the requirements of NAT and support mass access, precise access control and load balancing, and provide solutions for the transition from IPv4 to IPv6, protecting the security of your local network and devices. For more technical information about our products, please consult our experts.