Nat/Napt - Siemens SIMATIC NET System Manual

"Stateful Inspection"
"Stateful Inspection" goes a step further than the packet filter and takes into consideration
the "context" within the communication in addition to the addresses and ports.
This means that web page packets that are sent from an external server to an internal client
can only pass the firewall if the internal client has specifically requested these packets
beforehand.
Such techniques are, among other things, relevant for preventing "Denial of Service" attacks
("DoS") in which an external attacker sends simultaneous queries from numerous computers
to the attacked target computer with the intention of paralyzing it through network traffic
congestion. In the case of Stateful Inspection, these illegitimate queries are already
intercepted at the boundary of the local network so that the local traffic continues
undisturbed by the DoS attack.
"Personal firewalls"
For professional applications, the firewalls normally used are separate devices. The
alternative to these devices are "personal firewalls" in the form of software running on the
target computers themselves.
Personal firewalls cannot, however, provide the same security as dedicated devices. Errors
in the operating system or badly programmed or configured personal firewalls allow an
attacker to avoid the "gatekeeper" filter function and to attack the target computer or target
network despite the firewall.
2.4.3

NAT/NAPT

"Network Address Translation" (NAT)
"Network Address Translation" ("NAT") is a function with which a router replaces the
addresses of the local nodes involved in data traffic with its own IP address whenever the
traffic goes beyond the network boundaries. Incoming answers are assigned according to
the actual addressees with their IP addresses.
This mechanism can be used for ergonomic reasons since to the outside only one single IP
address is required for any number of local nodes.
In addition, it provides a certain degree of protection against attackers because only a single
address, that of the router, is visible to the outside. A "naive" attack will therefore always
target the router directly, instead of the local computers behind the router that have to be
protected.
"Network Address Port Translation" (NAPT)
Compared with NAT, NAPT goes one step further. With NAPT, in addition to the IP
addresses, the ports of the local nodes are also replaced. Incoming replies are then
assigned back to the corresponding IP addresses and ports of the local nodes.
Industrial Ethernet
System Manual, 09/2019, C79000-G8976-C242-10
Network structures and network configuration
2.4 Network security
101