Local Network Addresses
Three pools of IP addresses have been reserved for use on local networks that are either behind firewalls and proxy servers or not connected to the Internet in any manner. The reserved address pools, known as private network addressing, are
10.0.0.0 through 10.255.255.255
172.16.0.0 through 172.31.255.255
192.168.0.0 through 192.168.255.255
These addresses were created to provide networks not attached to the Internet with a pool of IP addresses that do not conflict with any addresses currently in use on the Internet. If networks using these reserved addresses link to the Internet in the future, they do not have to worry about an address conflict with any other network on the Internet.
The network in Figure 3.5 uses the network address 192.168.3.0 for the private network. In this example, the firewall has a component known as the Local Address Table (LAT). The Local Address Table designates that the internal interface of the firewall is on the 192.168.3.0 network. Any hosts using an IP address that belongs on the 192.168.3.0 network must be located on the internal side of the firewall. A host trying to connect from the Internet side of the firewall will be stopped by the firewall for security reasons.
Figure 3.5 Use of private addresses.
Why Private Addresses Were Created
When I first started to set up firewalls, I was not aware of the reserved local address tables. I used the network address 220.127.116.11 with the subnet mask 255.255.0.0 for my internal network.
I thought I correctly configured this network range into the firewall's LAT and communications functionuntil someone attempted to send e-mail to a recipient at microsoft.com. The mail server for the domain microsoft.com was located at 18.104.22.168. When the e-mail was forwarded to our firewall, it resolved the Mail Exchanger (MX) record for microsoft.com and determined that it needed to forward the mail to 22.214.171.124. Using its LAT table, the firewall determined that this server must be located somewhere on our local network. The mail was not successfully deliveredever!
Besides preventing address conflicts with the Internet, private network addressing also reduces the demand for public network IP addresses. When data is sent from the private network to public network, the original source address information is translated to an ISP-obtained outbound address. This process is known as network address translation (NAT).
The NAT process helps prevent external attackers from determining the IP addresses in use on your private network, as well as reduce the demands for public network addresses. For example, if you had thousands of hosts behind your firewall, you would only require a single public network IP address for outbound traffic, rather than one per host on the private network.
NAT is discussed in Day 13, "Protecting Your Network."