Network security mechanisms utilising network address translation

摘要

A new protocol technology is just starting to emerge from the laboratory environment. Its stated purpose is to provide a means whereby networks, and the services that reside on them, can be protected from adversarial compromise. This protocol called Dynamic Network Address Translation (Dynat) is designed to protect computer networks against cyber attacks. Briefly, Dynat changes network parameters, such as the IP address and port numbers, between communication sessions and even during sessions. As a result, an adversary cannot associate activity on a given port of a given IP address with an application on a particular computer, thereby presenting a significant barrier to network attacks. This paper identifies the major components or attributes that are associated with the Dynat protocol and describes some of the potential implementations and associated network architectures that can deploy Dynat. It examines inter-operability issues associated with Dynat's interaction with other network protocols along with its impact on standard security implementations, such as IPSec and Intrusion Detection Systems.