|
GNAT Operation | Inbound
& Outbound Mappings | Local Network Security |
Dynamic Firewall Interface | Application
Level Gateway | Portable Private Networks | Management
Framework
GNAT is a high performance network address translator (NAT). Its core engine maps internal to external addresses using port
translation (NAPT) based on pre-defined mapping rules. Its small footprint and
robustness have been specifically designed for use in an embedded environment.
GNAT’s unprecedented flexibility and ease customization make it the NAT
of choice in embedded networking applications.
GNAT typically operates on a gateway or router between an internal and external
network and helps to conserve IP addresses. It does this by creating "local"
networks which are connected to the Internet using a single routable (public)
IP address. GNAT maintains an address translation table containing active mappings
of internal/external IP addresses and port numbers. These mappings are created
dynamically based on rule-matching when a packet makes its way through GNAT. Based
on the mappings, each IP datagram sent out with an internal IP source address
has the source address field replaced by the appropriate external IP address and
is re-injected into the packet stream. This process is reversed when a packet
is received, since the mappings allow GNAT to determine the original requestor
to which the packet should be forwarded. This makes possible a many-to-one address
mapping, since many internal IP addresses can be mapped to one external IP address.
Mappings are automatically deleted after a pre-configured inactivity time period.
 Top
GNAT includes a redirection command to redirect inbound packets to a specified
internal IP address. This allows external devices to initiate connections to internal
NAT-ed nodes which may be necessary if the internal nodes are running servers
(such as ftp, http etc.) which require access from the outside. Besides inbound
mapping, GNAT also supports redirection in the outgoing direction to allow services
such as DNS port forwarding from the internal network.
Top
A useful feature of GNAT is its ability to hide private IP addresses on its internal
side. The nodes on the internal network may freely establish connections with
external nodes. However, connections from the external side may be blocked or
made possible with GNAT in a controlled manner. GNAT can allow just a few connections,
or even no connections, to be established in this direction. GNAT thus offers
security by assigning nodes on the internal network non-routable private IP addresses
that cannot be easily accessed from potential threats on the outside.
Top
GNAT private IP address hiding complements the perimeter security of IP packet
filtering firewalls. A unique feature of GNAT allows the association of a NAT
mapping with a firewall rule. When the NAT entry is created, it also opens a firewall
window. This allows for a convenient way to enable a dynamic firewall rule allowing
activity at specific ports when a connection is initiated from the internal side.
The firewall window is closed when the NAT entry expires.
Top
Some TCP/IP protocols embed addressing information in the payload of packets.
For example, during an "active" FTP connection, the client informs the
server of its IP address & port number and then waits for the server to open
a connection to that address. GNAT has to monitor these packets and modify them
on the fly to replace the client's IP address (which is on the internal network)
with the NAT-ed address. This requires defining specialized application-level
gateway modules (ALGs) for every protocol that uses IP addresses in packet payloads.
GNAT supplies an implementation of the FTP ALG which can be used as a reference
for any other protocols that require a specialized ALG.
Top
GNAT’s setup of a “local” network on its internal side, with
its own private IP address scheme allows for maximum address portability since
this network can be connected to any external network without any IP address change
for the internal nodes. This is particularly useful in embedded environments where
the “local” network may be part of a single embedded system. GNAT
allows such applications to refer to the internal addresses without reference
to the external IP address in use, which may change based on DHCP assignment,
or inclusion of the embedded devices in a customer network.
Top
GNAT supports a customizable management interface presented through a string-based
command layer, which can be easily controlled through a web-server or structured
data files such as XML or via a CLI. Support for rule numbering provides ease
of overriding at any level. Management of nodes on the internal network is also
eased, since they can be assigned private IP addresses that do not change even
if the external IP address changes based on connection to different external networks.
Top
|
