Network Address Translation

Internet technology is based on the IP protocol and in order to communicate via IP, each device participating in the communication must have a unique IP address. This is relatively easy to do when an organization's network is bounded by the internal physical network and not connected to the Internet. But once an organization connects to the Internet, then each IP address must be unique for the entire world. This presents a problem, since there is a finite number of IP addresses. And because there is a finite number of IP addresses, the agency granting them (InterNIC) is very conservative, which means that individuals will typically not be granted an IP address. 

Even if you could assign an IP address for every resource and user in your company, it might not be a good idea, since any communication on the Internet exposes the IP address to anyone who is watching. Needlessly publishing IP addresses for devices on a network can expose that network to directed attacks. 

Protecting your IP Addresses

FireWall-1's Network Address Translation feature conceals internal network addresses from the Internet, avoiding their disclosure as public information. In addition, this feature overcomes IP addressing limitations, including restricted IP address allocation and unregistered internal addressing schemes. FireWall-1 maintains the integrity of an organization's internal addressing scheme, mapping unregistered IP addresses with valid ones for full Internet access. There are two modes of operation -- dynamic mode and static mode. 

Dynamic Mode

Dynamic mode address translation provides users access to the Internet while conserving registered IP addresses and hiding the actual IP addresses of network resources. Dynamic mode uses a single IP address to map all connections through the protected access point. Since the IP address used in dynamic mode is used only for outbound communication and not used by any resource, there is nothing to hack or spoof. 

Is it truly dynamic? 

Often times the question arises whether or not this implementation is truly dynamic? With Check Point FireWall-1's implementation, the answer is yes. FireWall-1 allows an unlimited number of addresses to be dynamically mapped to a single IP address. Be cautious of implementations that provide address substitution in which a range of addresses are assigned for use in communications. In this case, once the range is used up, nobody else can communicate on the Internet. 

Static Mode

As an organization's communication infrastructure requirements grow, the need may arise to publish network resources to users on the Internet - whether they are internal employees or strategic business partners. Static mode fulfills this requirement by providing a one to one assignment between the published IP address and the real IP address. Static mode would typically be implemented when administrators did not wish to expose the real IP addresses of the network servers, or if a network IP address had been assigned historically and you needed to provide "real" addresses so that people on the Internet can access them. 

With Check Point FireWall-1, both static and dynamic address translation modes provide an unlimited amount of control and flexibility in setting up an organization's network. 

Configuration is Simple

With FireWall-1, there are two methods for specifying address translation. One method is to specify automated address translation during the object definition process. Doing this will automatically generate the appropriate translation rule. The other method is to specify the address translation specifications using the address translation rules editor. All network objects can be used to specify address translation rules. FireWall-1 has the unique capability of being able to validate the specified address translation rules, helping to avoid mistakes in the configuration process. 

Network Address Translation Dialog Boxes make it easy to specify network properties.

Network Address Translation rules are generated automatically from information provided during the object definition process. You can also manually specify address translation rules providing complete control. 


@1999 Check Point Software Technologies Ltd. All rights reserved. Used with permission