IP addresses come in two forms: public addresses, which are assigned by a central network authority and may be used to reach systems located across the Internet and private addresses, which are available for anyone’s use but may only be used on local networks and do not work across the Internet. In this video, learn the differences between public and private IP addresses and the use of Network Address Translation, or NAT.
- As we've discussed throughout this course, IP addresses uniquely identify systems on a network. TCPIP-compatible devices use these addresses to correctly route packets across networks, but how are these addresses assigned? IP addresses come in two forms: public addresses, which are assigned by a central network authority and may be used to reach systems located across the internet, and private addresses, which are available for anyone's use, but may only be used on local networks and will not work across the internet.
Let's begin by discussing public IP addresses. These addresses are centrally managed by a group known as the Internet Corporation for Assigned Names and Numbers, or ICANN. ICANN breaks addresses up into blocks, and gives them out to regional authorities in different countries for distribution. These regional authorities each take responsibility for a geographic portion of the world. For example, the American Registry for Internet Numbers, or ARIN, governs the distribution of IP addresses in the United States and Canada.
One of the major issues with IP addresses is that they are a scarce resource, especially when it comes to the traditional dotted quad IPv4 addresses. There are no large blocks of IPv4 addresses available for assignment today, and the only way to get these public IP addresses is by purchasing or renting them from other organizations, such as internet service providers. In the early days of networking, many organizations would simply obtain a large block of public IP addresses and use them on all of their systems.
For example, if an organization owned the 188.8.131.52 network, they might have just freely handed out those addresses on their own networks. The scarcity of IP addresses, combined with security concerns, makes this impractical today. Why are these addresses so scarce? With the dotted quad notation of IPv4, there are only 4.3 billion possible IP addresses. While this may sound like a lot, CISCO estimates that there are currently around seven and a half billion mobile devices alone in the world today.
That count doesn't even include servers, desktop computers, network appliances, or any non-mobile devices. There simply aren't enough possible addresses to assign every device in the world a unique public IP address. The solution to this dilemma is the use of private IP address ranges. When ICANN's predecessor organizations divided up the original IP address space, they reserved three different address ranges for use on private networks. These ranges are the ten-network, from 10.0.0.1 to 10.255.255.255.
Another is the portion of the 172 network, from 172.16.0.1 to 172.31.255.255. And the last is the 192.168 network, from 192.168.0.1 to 192.168.255.255. These ranges are called private IP addresses and anyone can use them on their local networks. The only catch is that they are reserved for use on private networks and can not be used for routing traffic across the internet.
Today, organizations typically use a balance of public and private IP addresses. They use private addresses broadly within their private networks, assigning them to all of their internal systems. They then use a small number of public IP addresses for systems that require public access. In the case of this network that formerly used public addresses from the 8.1 range, administrators might instead assign private addresses from the 192.168 range.
You might have noticed one problem with this approach. Systems that have private IP addresses cannot communicate on the internet using those addresses because they are not internet-routable. Thousands of organizations around the world use those same private addresses on their own internal networks, so remote systems would have no way of telling where reply traffic should actually go. The solution to this is a technology known as Network Address Translation, or NAT. Routers and firewalls perform NAT translation at the border of a network.
When a system with a private IP address, such as this laptop with private address 192.168.1.1, wants to communicate on the internet, the NAT device lends the system a public IP address temporarily for use during that communication. It then records the public and private IP address translation in a table, and when a reply comes in for that public address, the NAT device looks up the corresponding private address in the table, and then routes the packet to the correct system on the private network.
NAT does introduce new concerns for security professionals. It does bring the privacy benefit of hiding IP addresses from the public internet, and limiting direct access to systems, but it also makes it difficult to correlate activity on a public IP address back to the true originator. For this reason, most organizations maintain logs of their NAT translations that allow them to determine who was using a particular public IP address at any given time. NAT is a very useful technology, but it is somewhat limited because it requires a public IP address for every system on the network that needs to communicate on the internet.
Since most organizations have a limited pool of public addresses, they can quickly run into a situation where that pool is exhausted and no new systems can communicate on the internet. Port Address Translation, or PAT, solves this problem by allowing multiple systems to share the same public address. Instead of recording translations between IP addresses, PAT assigns each connection a different port on a public IP address. This way, many different systems can share the same public IP address at any point in time.
Looking for study partners?Join the CISSP Exam study group
The Certified Information System Security Professional (CISSP) certification is an important component of any security professional's resume, and is a requirement for many top jobs. In this course, prepare for the fourth domain of the exam: Communications and Network Security. Instructor and cybersecurity expert Mike Chapple goes over TCP/IP networking, network security devices, and secure network design. Mike also includes coverage of specialized networking, network attacks, wireless networking, and more. The CISSP exam domains can be found here.
- How IP addresses are assigned and managed
- Multilayer protocols
- VPNs and VPN concentrators
- Designing secure networks
- Firewall management techniques
- Maintaining network availability
- Software defined networking (SDN)
- Port isolation
- Network attacks
- How Wi-Fi networks function
- WPA, WPS, and propagation attacks
- Host-based network security control