Types of Network Address Translation (NAT) for Control Systems (Part 2)

Types of NAT

Part 1 of this series discussed 1:1 NAT and Port Forwarding NAT. This article continues with a discussion of two other Network Address Translations: 1:many and Outbound.

Note that the use cases for this discussion are generic but are useful for control system networks using EtherNet/IP, Modbus TCP, and PROFINET IO. Many of these concepts that follow (but not all) are IT concepts, and the use cases are going to be different than many of the IT use cases.

1:many NAT

1:many NAT is a more difficult NAT concept to understand than the concepts in the last article. It is a combination of 1:1 NAT and the Port Forwarding NAT. Unlike 1:1 NAT, the destination address in the control network can vary. Unlike Port Forwarding NAT, you can specify a slew of ports to use in the mapping. 1:many translates a series of ports on an inbound address to a series of destinations and port numbers inside the control network.

1:many NAT

Why Use it?

Given the limited scope of control systems and that we want to restrict the number of devices on the control system that is accessed by external clients, there aren’t many use cases for 1:many.

Outbound NAT

An Outbound NAT is simply a way for an internal device to easily map communication to a remote client. The NAT device substitutes the original target and port number for a new destination. The address of the NAT WAN interface is substituted for the originator of the message.

outbound NAT

Why Use it?

It is generally more secure for a control system device to initiate communications with a network device than it is for outside devices to try to connect to devices inside the control network.

Network Address Translation is a handy tool for control engineers and nearly vital for machine builders. There are lots of NAT devices built for IT, but these devices generally used the very cryptic notation that is common for trained IT professionals. Even the NAT devices from the large control system vendors are cryptic and hard to use.

An alternative is the ICS-Defender NAT/RA device from Dynics. Not only does the ICS Defender have full NAT capabilities to do all the network address translation discussed in the last two articles, but it also has Remote Access and many other features in a graphical, menu-driven interface. You can learn more about ICS Defender by clicking on ICS Defender NAT/RA.