A computer network generally includes a number of interconnected network devices. Large networks, such as the Internet, typically include a number of interconnected computer networks, which in this context are often referred to as sub-networks or subnets. These subnets are each assigned a range of network addresses that can be allocated to the individual network devices that reside in the respective subnet. A server in each subnet may be responsible for allocating these network addresses in accordance with a network address allocation protocol, such as a dynamic host configuration protocol (DHCP). The network addresses usually identify a general location of the network device to which the network address has been allocated.
Private networks, such as those owned and operated by an enterprise or business, often operate their networks in a manner similar to that described above with respect to large public networks. The private networks generally include a network server responsible for allocating a network address to each of the network devices that operate in the private network. The network server generally assigns these network addresses from a pool of network addresses leased from a service provider that provides the private network with access to the Internet and other public networks. The allocation of these network addresses to individual network devices operating within the private network and subsequent interaction with the public network by these network devices may expose the topology and other information of the private network to the public network. This exposure may represent a security risk as this information may be used by so-called “hackers” to initiate network attacks that target vulnerabilities of the private network learned from this information.
To prevent the topology and other information from being exposed by the private network, the private network often deploys a firewall that implements network address translation (NAT). This firewall may be deployed between the private network and the interface to the public network. The firewall performs NAT on network traffic originating from the network devices of the private network and destined for the public network to replace the network addresses assigned to the network devices of the private network. These so-called source network addresses of the network traffic are usually replaced with a uniform, publically-known network address assigned to the firewall. The firewall allocates a different port number for each network device so as to differentiate return traffic received from the Internet. The firewall replaces the port specified in the network traffic with the port corresponding to the network device that originated the traffic. In this manner, the firewall obscures the network addresses assigned to the various network devices of the private network and prevents the private network from exposing its topology and other information to the public network considering that, from the perspective of the public network, the firewall appears to originate all of the network traffic from the private network.