Professional Documents
Culture Documents
Highlights
Firewalls:
To protect against attacks
Two types
Proxy firewalls
Packet-filtering firewalls
NAT:
To address diminishing pool of IP addresses
Packet-filters
popular filters involve
undesired IP addresses or options
types of ICMP messages
various UDP or TCP services, based on the port
numbers contained in each packet
Protocol Operation
The proxy firewall acts as a multihomed Internet host, terminating TCP connections
and UDP associations at the application layer. It does not act as a conventional IP
router but rather as an ALG (Application Layer Gateway). Individual applications or
proxies for each service supported must be enabled for communication to take place
through the proxy firewall.
Proxy Firewall
Quite secure
Brittle and lack of flexibility
New apps must have corresponding proxy
Apps must have mechanisms to discover proxy
Drawbacks of NAT
Privately addressed systems are not reachable
from outside
Runs counter to the fundamental tenet of the
Internet Protocols: the smart edge and
dumb middle
Modifying transport header requires recomputing
transport layer checksum
An Example
A NAT isolates private addresses and the systems using them from the Internet.
Packets with private addresses are not routed by the Internet directly but instead
must be translated as they enter and leave the private network through the NAT
router. Internet hosts see traffic as coming from a public IP address of the NAT.
NAT
Traditional NAT (just referred to as NAT in the
text):
Basic NAT: rewrite IP address only
NAPT: Network Address Port Translation
A basic IPv4 NAT (left) rewrites IP addresses from a pool of addresses and leaves port
numbers unchanged. NAPT (right), also known as IP masquerading, usually rewrites
address to a single address. NAPT must sometimes rewrite port numbers in order to
avoid collisions. In this case, the second instance of port number 23479 was rewritten
to use port number 3000 so that returning traffic for 192.168.1.2 could be
distinguished from the traffic returning to 192.168.1.35
Informational messages
Usually of query/response type
Query ID can be used like the port number
Inside to Outside
Modify source IP and port as usual
Translation Behavior
Filtering Behavior
Endpoint-independent
Address-dependent
X1 is connecting to
external address of X2
NAT Editors
What if application layer payload contains IP
address and port numbers?
FTP
Hole Punching
A method that allows multiple devices behind
NAT to communicate
Clients first connect to a server
Server provides external addresses to the
clients so that they can directly connect
UNSAF
Unilateral Self-Address Fixing
Client/Server based
Query server to find the external address
NAT Rules
Internet Connection Sharing (ICS): Windows
192.168.0.1 is assigned to the machine
DHCP and DNS servers are started
192.168.0/24 are assigned to other devices
IP Masquerading: Linux