Page 906 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 906

All routers and traffic-directing devices are configured by default not
               to forward traffic to or from these IP addresses. In other words, the

               private IP addresses are not routed by default. Thus, they cannot be
               directly used to communicate over the internet. However, they can be
               easily used on private networks where routers are not employed or
               where slight modifications to router configurations are made. Using
               private IP addresses in conjunction with NAT greatly reduces the cost
               of connecting to the internet by allowing fewer public IP addresses to
               be leased from an ISP.




                             Attempting to use these private IP addresses directly on

                  the internet is futile because all publicly accessible routers will
                  drop data packets containing a source or destination IP address

                  from these RFC 1918 ranges.



               Stateful NAT


               NAT operates by maintaining a mapping between requests made by
               internal clients, a client’s internal IP address, and the IP address of the
               internet service contacted. When a request packet is received by NAT
               from a client, it changes the source address in the packet from the
               client’s to the NAT server’s. This change is recorded in the NAT

               mapping database along with the destination address. Once a reply is
               received from the internet server, NAT matches the reply’s source
               address to an address stored in its mapping database and then uses
               the linked client address to redirect the response packet to its intended
               destination. This process is known as stateful NAT because it
               maintains information about the communication sessions between
               clients and external systems.


               NAT can operate on a one-to-one basis with only a single internal
               client able to communicate over one of its leased public IP addresses at
               a time. This type of configuration can result in a bottleneck if more
               clients attempt internet access than there are public IP addresses. For
               example, if there are only five leased public IP addresses, the sixth
               client must wait until an address is released before its communications
   901   902   903   904   905   906   907   908   909   910   911