You are on page 1of 33

Chapter 7

Firewalls and Network Address


Translation (NAT)

Highlights
Firewalls:
To protect against attacks
Two types
Proxy firewalls
Packet-filtering firewalls

NAT:
To address diminishing pool of IP addresses

Popularity of both have surged due to


different reasons

Packet-filters
popular filters involve
undesired IP addresses or options
types of ICMP messages
various UDP or TCP services, based on the port
numbers contained in each packet

Typical Packet-filtering configuration

A typical packet-filtering firewall configuration. The firewall acts as an IP router between


an inside and an outside network, and sometimes a third DMZ or extranet
network, allowing only certain traffic to pass through it. A common configuration allows
all traffic to pass from inside to outside but only a small subset of traffic to pass in the
reverse direction. When a DMZ is used, only certain services are permitted to be
accessed from the Internet.

Protocol Operation

The proxy firewall acts as a multihomed Internet host, terminating TCP connections
and UDP associations at the application layer. It does not act as a conventional IP
router but rather as an ALG (Application Layer Gateway). Individual applications or
proxies for each service supported must be enabled for communication to take place
through the proxy firewall.

Proxy Firewall
Quite secure
Brittle and lack of flexibility
New apps must have corresponding proxy
Apps must have mechanisms to discover proxy

Types of Proxy Firewall


HTTP proxy firewalls
SOCKs firewalls
More generic
Version 4: basic support
Version 5: adds authentication, UDP traversal, and
IPv6 addressing

Drawbacks of NAT
Privately addressed systems are not reachable
from outside
Runs counter to the fundamental tenet of the
Internet Protocols: the smart edge and
dumb middle
Modifying transport header requires recomputing
transport layer checksum

An Example

A NAT isolates private addresses and the systems using them from the Internet.
Packets with private addresses are not routed by the Internet directly but instead
must be translated as they enter and leave the private network through the NAT
router. Internet hosts see traffic as coming from a public IP address of the NAT.

NAT
Traditional NAT (just referred to as NAT in the
text):
Basic NAT: rewrite IP address only
NAPT: Network Address Port Translation

Basic NAT and NAPT

A basic IPv4 NAT (left) rewrites IP addresses from a pool of addresses and leaves port
numbers unchanged. NAPT (right), also known as IP masquerading, usually rewrites
address to a single address. NAPT must sometimes rewrite port numbers in order to
avoid collisions. In this case, the second instance of port number 23479 was rewritten
to use port number 3000 so that returning traffic for 192.168.1.2 could be
distinguished from the traffic returning to 192.168.1.35

Security via NAT


blocks almost all incoming new connection
requests
inhibits probing attacks that attempt to
ascertain which IP addresses have active hosts
available to exploit

NAT (especially NAPT) hides the number and


configuration of internal addresses from the
outside.

NAT and TCP


Observe the packet flow (RST, SYN, FIN, ACK)
etc.
Use TCP state diagram and run appropriate
timers to estimate if the connection state
needs to be maintained or not
Need to account for
Keepalive timers: 2 hours
Max idle time during setup/teardown: 4 mins

NAT and UDP


No special packets (SYN, FIN, RST etc.)
Fragmentation into multiple IP packets
Port number absent in fragments after the first
one

NAT and ICMP


Error Messages
Usually contain a copy of the packet which needs
has IP header with IP addresses (may need to be
changed as well)

Informational messages
Usually of query/response type
Query ID can be used like the port number

NAT and tunneled Packets


Need to rewrite header of tunneled packets

NAT and Multicast


Outside to Inside
No modification to dest IP and port

Inside to Outside
Modify source IP and port as usual

Address & Port Translation Behavior

Translation and Filtering


Behavior Name

Translation Behavior

Filtering Behavior

Endpoint-independent

X1:x1 = X2:x2 for all


Y2:y2 (required)

Allows any packets for


X:x as long as any X1:x1
exists (recommended
for greatest
transparency)

Address-dependent

X1:x1 = X2:x2 iff Y1 =


Y2

Allows packets for X:x


from Y1:y1 as long as X
has previously contacted
Y1 (recommended for
more stringent filtering)

Address- and portdependent

X1:x1 = X2:x2 iff Y1:y1


= Y2:y2

Allows packets for X:x


from Y1:y1 as long as X
has previously contacted
Y1:y1

Hairpinning and NAT Loopback

X1 is connecting to
external address of X2

What is the source


address of the packet
sent to X2?
A NAT that implements hairpinning or NAT loopback allows a client to reach a server
on the same side of the NAT using the servers external IP address and port numbers.
That is, X1 can reach X2:x2 using the addressing information X2:x2.

NAT Editors
What if application layer payload contains IP
address and port numbers?
FTP

What if the application payload length


changes
TCP numbers every byte
NAT Editors need to understand a lot of protocols and their
interactions and must have the ability to change the
corresponding bits in the packets

Service Provide NAT (SPNAT),


Carrier-Grade NAT (CGN) or Large Scale NAT (LSN)

Move NATing to the ISPs


Functionally similar to NAT

Hole Punching
A method that allows multiple devices behind
NAT to communicate
Clients first connect to a server
Server provides external addresses to the
clients so that they can directly connect

Does Hole Punching Work?

NATs need to be endpoint-independent

UNSAF
Unilateral Self-Address Fixing
Client/Server based
Query server to find the external address

But answer depends on who you ask


B gets different answers from S1 and S2

Maintaining consistency between NAT topology


and the server data is difficult

Session Traversal Utilities for NAT


(STUN)
A standardized set of methods and a network
protocol to allow an end host to discover its
public IP address if it is located behind a NAT
Server echoes back requests sent to it in a way
that allows clients to find their external
addresses

TURN (Traversal Using Relays around


NAT)
Used as a last resort if two systems are unable
to communicate directly
Plumbing is done by the TURN server
The TURN server provides an address that is
used by the clients to communicate

TURN (Traversal Using Relays around


NAT)

ICE (Interactive Connectivity


Establishment)
Issues with NAT
VoIP traffic where a client needs to register with a
unique address to a SIP proxy
firewalls which might block VoIP traffic completely

Uses TURN to obtain candidate transport


addresses that each agent may use
ICE orders the list of pairs of addresses and sends
to peer agent
Peer agent performs a similar task
A set of checks are performed to determine the
best pair to use (all pairs may be checked)

Configuring Packet-Filtering Firewalls


EXTIF="ext0"
INTIF="eth0"
LOOPBACK_INTERFACE="lo"
ALL="0.0.0.0/0"
# matches all
# set default filter table policies to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# all local traffic OK
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -i $LOOPBACK_INTERFACE -j ACCEPT
# accept incoming DHCP requests on internal interface
iptables -A INPUT -i $INTIF -p udp -s 0.0.0.0 \
--sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT

# drop unusual/suspect TCP traffic with no flags set


iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

NAT Rules
Internet Connection Sharing (ICS): Windows
192.168.0.1 is assigned to the machine
DHCP and DNS servers are started
192.168.0/24 are assigned to other devices

IP Masquerading: Linux

NAT Rules: A Linux Example


EXTIF="ext0"
echo "Default FORWARD policy: DROP"
iptables -P FORWARD DROP
echo "Enabling NAT on $EXTIF for hosts 192.168.0.0/24"
iptables -t nat -A POSTROUTING -o $EXTIF -s 192.168.0.0/24 \
-j MASQUERADE
echo "FORWARD policy: DROP unknown traffic"
iptables -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP

DS-Lite (Dual-Stack Lite)


IPv4/IPv6 Co-existence and Transition

You might also like