Reply To: When to NAT

WhiskyjimJim Manley
Karma: 262
Rank: Jedi

Jonathan –

NATing is usually done when you have to hide the NAT’d network for addressing or security reasons.  NATing will also (usually) keep broadcast traffic from traversing the NAT device.

Prior to “retiring” and jumping into my dream job at the distillery, I was the chief IT architect for a major aerospace contractor.  One of the last projects I worked on was interconnecting a bunch of stand alone PLC networks and our business enterprise network.  Both sides of the “house” had multiple concerns about doing this.

From the IT side, the IT security guys were horrified by what they saw in the PLC networks (devices that hadn’t been patched in years, stuff running on OSs like Windows CE and Windows 98,  etc.) and had no desire to connect those networks to the business network without having some sort of control point (e.g., firewall) in between the networks and a plan for getting rid of the old, offensive systems/software.

The PCL guys, on the other hand, were terrified that connecting to the business network would reek havoc on the PLC systems by pushing out updates, flooding the networks with unneeded traffic, etc.   They also expressed the same concern about people being able to access the PLC network devices.

The PLC network device access is a valid concern.  A lot of the devices on a PLC network are implementing web based front ends that need to be secured.  I’ve found that the PLC drivers aren’t used to having to manage the security of their network because they’ve always been stand alone networks.  Reminds me of the 90’s when I first started integrating separate networks together.

This collision between Operational Technology (OT) networks (PLC networks) and Information Technology (IT) networks (business networks) has become a hot topic with the PLC and network vendors.  AB, in conjunction with Cisco, has been pushing this topic a lot lately.  Here’s a link to their converged network document.

You can address this concern with Access Control Lists on the devices doing the NATing, if they’re capable implementing ACLs.  My approach at the distillery involves using a port on one of my firewalls.  This approach allows me to maintain segregation between my PLC networks and the business network.  I can also use the firewall to implement rules that allow the devices on the PLC network to communicate with the appropriate business systems and vice-versa.