Amritam Putatunda
Technical Product Manager
Blog

Validating NAT in Application-Aware Devices? We Have You Covered.

April 29, 2016 by Amritam Putatunda

It’s becoming increasingly common to see network and security teams preferring to deploy Network Address Translation (NAT) within the firewall more than in any other devices. It’s considered more convenient to have the NAT rules and the firewall policies configured in the same device. Firewalls have been supporting NAT from quite some time now and vendors have promoted the use of NAT in firewalls as it can help to obfuscate the internal network, effectively making it more difficult for the attackers. Previously, some deployments deployed NAT in a separate device (Like a NAT router) rather than in the firewall, but the consistent push from the vendors, combined with the benefits of unification has led to the growing trend of deploying NAT in firewalls.

Key Concerns of Deploying NAT in Firewalls

While the processing speed and compute power of firewalls have considerably gone up over the last few years, so has the responsibility. Today’s next-generation firewalls (NGFW) and unified threat management (UTM) demand that firewalls perform multiple functions like VPN, DPI, etc. Considering this, there are two key problem areas you’ll want to validate when enabling NAT in your firewall:

  1. Performance impact on the firewall
  2. Efficacy impact of the firewall and that every feature, like app blocking, VPN, and signature detection, work the same way with or without the NAT in place

What Did We Do?

In the latest BreakingPoint 8.0.1 release, Ixia introduced several enhancements in the GUI and infrastructure to ensure validation of maximum performance, scalability, and security efficiency of firewalls when they are also performing NAT. To configure NAT translation in regular testing, all you have to do is open “Network Neighbourhood,”(In case you need a quick recap of the BreakingPoint components, you can find them here) click on the “NAT” field in the IPV4 STATIC HOSTS bucket as shown below and……. that’s it!

NAT feature in BreakingPoint

Fig 1: Enabling NAT in BreakingPoint

This will let BreakingPoint know that there will be a translation happening and traffic selected under this Network Neighbourhood will run seamlessly (as long as the NAT configuration in the firewall is right). Use this newly created NAT Network Neighbourhood to test all your pre-existing load and security profiles and find if there is any difference in performance or security effectiveness after enabling dynamic or static NAT.

What Did We Find?

As part of this exercise, the engineering team ran several of our regular performance test cases – running them first without and later with NAT enabled on a few of the cutting-edge firewalls. Below is the tabular summary of one of the results.

NAT-2

As is clear from the table, even though the throughput remains the same, there is a significant impact on the concurrent connections and connections per second statistics. Of course, this data may vary depending on the type of NAT configuration and the device type, but this definitely calls for a fresh set of tests to validate device performance under NAT conditions. So if you haven’t done so yet, upgrade BreakingPoint to 8.0.1 and check out how your security device performs when implementing NAT in your firewall. If you don’t have BreakingPoint yet, request a quote here.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.