Scribd Logo
Carica

Benvenuto in Scribd!

  • ISSM 535Q Week 3A PDF

    Caricato da

    karan
    24 visualizzazioni27 pagine

    Titolo originale

    ISSM 535Q Week 3A.pdf

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    24 visualizzazioni27 pagine

    ISSM 535Q Week 3A PDF

    Caricato da

    karan

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 27

    Firewall Fundamentals

    ISSM 535Q

    Week 3A
    Network Address Translation (NAT) and
    Port Redirection

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    www.jblearning.com
    All rights reserved.
    Learning Objective
    ▪ Understand how firewall can acts as an
    Intermediary.
    ▪ Explain the fundamental concepts of Network
    Address Translation.
    ▪ Understand the various applications of
    Network Address Translation.

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 2
    All rights reserved.
    Key Concepts
    ▪ Bidirectional Network Address Translation
    ▪ Dynamic Network Address Translation
    ▪ Port Address Translation
    ▪ Identity Network Address Translation
    ▪ Port Redirection

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 3
    All rights reserved.
    Firewalls acts as an Intermediary
    ▪ It ensures that external hosts from the Internet
    can never have direct communication with the
    protected host.

    ▪ This can be achieved through the following


    technologies:

    ❖ Network Address Translation

    ❖ Port Redirection

    ❖ Proxy

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 4
    All rights reserved.
    Network Address Translation
    ▪ NAT is an additional translation service to the
    core filtering functions of a firewall.

    ▪ It hides the true identity of computers on the


    internal network.

    ▪ It translates internal addresses (Private IP


    Addresses) into external addresses (Internet).

    ▪ it was mainly designed to address some security


    concerns, and also offers some additional
    benefits.
    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
    Network Security, Firewalls, and VPNs www.jblearning.com Page 5
    All rights reserved.
    Benefits of Network Address Translation
    ▪ Security – It helps to Keep internal IP addresses
    hidden to discourage any direct attacks.
    ▪ IP routing solutions — Overlapping IP addresses
    are not a problem when you use NAT.
    ▪ A network administrator can assign a set of IP
    Addresses to a network that another company
    might have used.
    ▪ Flexibility - You can change internal IP
    addressing schemes without affecting the public
    addresses available externally.
    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
    Network Security, Firewalls, and VPNs www.jblearning.com Page 6
    All rights reserved.
    Benefits of Network Address Translation
    ▪ Save Cost – NAT is necessary when the
    registered IP addresses allocated to you by
    your Internet Service Provider is less than
    the total number of Network devices that
    needs internet access.
    ▪ Since the public IP Address available on the
    internet was getting exhausted. It helps
    not to run out of IP Addresses.

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 7
    All rights reserved.
    Network Address Translation
    ▪ A NAT devices must have at least have two
    network interface, one will serve as the internal
    gateway and the other to the internet.

    ▪ We use NAT for Internet connectivity in this


    classroom.

    ▪ All our workstations have RFC 1918 private


    addresses (e.g. 10.0.0.0/8), yet we have Internet
    connectivity.

    ▪ Types of Network Address Translation


    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
    Network Security, Firewalls, and VPNs www.jblearning.com Page 8
    All rights reserved.
    Types of NAT
    Source Network Address Translation (SNAT)

    ▪ This is usually refer to as Internal Address.

    ▪ If the internal address is getting translated,


    regardless of the direction of the access, it is
    called Source NAT.

    ▪ The word Source here means “MY” address is


    translating. The originator of the traffic
    communication.

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 9
    All rights reserved.
    Types of NAT
    Destination Network Address Translation (DNAT)

    ▪ This is sometimes refer to as Outside NAT.

    ▪ A destination NAT happened when the


    External/Remote/Foreign Address is translated.

    ▪ The word Destination here is "THEM".

    ▪ When both Source NAT and Destination NAT are


    implemented on the same NAT is known as Twice
    NAT/Double NAT.
    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
    Network Security, Firewalls, and VPNs www.jblearning.com Page 10
    All rights reserved.
    NAT Interface
    ▪ NAT can be configured to apply to any interface or
    possibly all private network interfaces.

    ▪ But, NAT devices must have at least two network


    interface, one will serve as the internal gateway
    and the other to the internet.

    ▪ You can identify specific private address or


    interface in your NAT configuration.

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 11
    All rights reserved.
    How NAT Works?

    ▪ Host A contact a machine on the internet Host B.


    ▪ The firewall translates the request from having a source
    address of 10.1.1.100 to having a source address of
    209.165.201.10 and transmits the data across the Internet.
    ▪ The firewall will record the changes it makes in its translation
    table so that it can reverse the changes on return packets.
    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
    Network Security, Firewalls, and VPNs www.jblearning.com Page 12
    All rights reserved.
    NAT Implementations
    NAT can be implemented in four different ways base
    on the requirement.
    ▪ Static NAT

    ▪ Dynamic NAT

    ▪ Port Address Translation (PAT)

    ▪ Identity NAT

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 13
    All rights reserved.
    Static NAT Implementation
    ▪ It is sometimes referred to as Bi-directional NAT.

    ▪ It establish one to one mapping between an


    internal IP Address and routable IP Address.

    ▪ It require the same number if IP Addresses as


    need to be translated.

    ▪ Static NAT is not an effective method of saving the


    number of IP addresses required for access to a
    network or the Internet.

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 14
    All rights reserved.
    Static NAT Implementation
    ▪ It is known as a Bidirectional NAT because it
    provides for the use of NAT regardless of the
    direction of the traffic flow.

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 15
    All rights reserved.
    Dynamic NAT Implementation
    ▪ Dynamic NAT translates a group of private
    addresses to a pool of public addresses that are
    routable on the internet.
    ▪ A pool of registered IP Addresses is used for
    translation.
    ▪ The pool of routable addresses can be smaller than
    the total number of IP addresses that need to be
    translated.
    ▪ This enables you to reduce the number of routable
    IP Addresses in use.

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 16
    All rights reserved.
    Dynamic NAT Implementation
    ▪ When a internal host is communicating to internet,
    the NAT device will translate the internal IP address
    to any available routable address from the pool.
    ▪ The translation is created only when the private
    host initiates the connection.
    ▪ The translation is in place only for the duration of
    the connection, and a given user does not keep the
    same IP address after the translation times out.

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 17
    All rights reserved.
    Dynamic NAT Implementation
    ▪ Users on the destination network, therefore, cannot
    initiate a reliable connection to a host that uses
    dynamic NAT, even if the connection is allowed by
    an access rule.
    ▪ Because the address is unpredictable, a connection
    to the host is unlikely.

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 18
    All rights reserved.
    Port Address Translation (PAT)
    ▪ This allows multiple internal addresses to be
    translated to a single registered IP address.
    ▪ This is achievable with the use of Port Numbers.
    ▪ The firewall builds a NAT table, but instead of
    assigning IP Address to the outbound
    communications, it assigns a port number.
    ▪ The source internal port is mostly maintained with
    the registered IP Address.
    ▪ But, if the source internal port is not available, a
    translated unique port is allocated to the internal
    host automatically from available ports.
    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
    Network Security, Firewalls, and VPNs www.jblearning.com Page 19
    All rights reserved.
    Port Address Translation (PAT)
    ▪ Each connection requires a separate translation
    session because the source port differs for each
    connection.
    ▪ After the connection expires, the port translation
    also expires after 30 seconds of inactivity.
    ▪ The goal of PAT is to conserve IP Addresses.

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 20
    All rights reserved.
    Identity Network Address Translation
    ▪ Identity NAT happens when the Internal (Private) IP
    address is statically translated to itself.
    ▪ It is essentially use to bypass a NAT configured.
    That is, to exempt a smaller subnet of address from
    a NAT configured.
    ▪ Identity NAT is necessary for remote access VPN,
    where you need to exempt the client traffic from
    NAT.

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 21
    All rights reserved.
    Twice NAT
    ▪ Twice NAT helps you identify both the source and
    the destination address in a single NAT rule.
    ▪ A translation rule created for traffic from Source A
    to Source B can have a different translation when
    the same Source A is communicating to Source C.
    ▪ Although, the destination address is optional.
    ▪ If you specify the destination address, you can
    either map it to itself (identity NAT), or you can
    map it to a different address.
    ▪ The destination mapping is always a static
    mapping.
    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
    Network Security, Firewalls, and VPNs www.jblearning.com Page 22
    All rights reserved.
    Twice NAT with Different Destination
    Address

    ▪ When the host accesses the server at 209.165.201.11, the


    private address is translated to 209.165.202.129.
    ▪ When the host accesses the server at 209.165.200.225,
    the private address is translated to 209.165.202.130.
    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
    Network Security, Firewalls, and VPNs www.jblearning.com Page 23
    All rights reserved.
    Twice NAT with Different Destination
    Ports

    ▪ The host on the 10.1.2.0/24 network accesses a


    single host for both web services and Telnet
    services.
    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
    Network Security, Firewalls, and VPNs www.jblearning.com Page 24
    All rights reserved.
    Twice NAT with Different Destination
    Ports
    ▪ When the host accesses the server for web
    services, the real address is translated to
    209.165.202.129.
    ▪ When the host accesses the same server for
    Telnet services, the real address is translated to
    209.165.202.130.

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 25
    All rights reserved.
    Port Redirection
    ▪ It is also called Destination NAT.
    ▪ This allows servers located in internal network
    (commonly situated at DMZ zone) to be accessible
    from the internet.
    ▪ Redirection also helps to avoid direct access to the
    internal servers from the internet.
    ▪ Port Redirection happen when a customised port is
    redirected to a known port.
    ▪ This redirection is often implemented on the
    perimeter device.
    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
    Network Security, Firewalls, and VPNs www.jblearning.com Page 26
    All rights reserved.
    Summary
    ▪ NAT was created to address the concerns of IP
    Addresses limitation by providing a mechanism
    by which any number of IP Addresses can be
    translated to a different range of IP Addresses.

    © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Network Security, Firewalls, and VPNs www.jblearning.com Page 27
    All rights reserved.

    Potrebbero piacerti anche