21.4 Network Address Translation (NAT) 21.4.1 NAT concept



Similar documents
Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Protocol Security Where?

z/os Firewall Technology Overview

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Network Address Translation (NAT)

OS/390 Firewall Technology Overview

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Chapter 12 Supporting Network Address Translation (NAT)

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Chapter 9. IP Secure

Variable length subnetting

Proxy Server, Network Address Translator, Firewall. Proxy Server

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

Introduction to Security and PIX Firewall

Network Address Translation (NAT) Good Practice Guideline

Компјутерски Мрежи NAT & ICMP

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Using IPsec VPN to provide communication between offices

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Chapter 32 Internet Security

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

IP Security. Ola Flygt Växjö University, Sweden

Security Technology: Firewalls and VPNs

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Ethernet. Ethernet. Network Devices

VPN. VPN For BIPAC 741/743GE

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Creating a VPN with overlapping subnets

Fortinet Network Security NSE4 test questions and answers:

Implementing and Managing Security for Network Communications

Networking Basics and Network Security

EITF25 Internet Techniques and Applications L5: Wide Area Networks (WAN) Stefan Höst

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Networking Security IP packet security

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Galileo International. Firewall & Proxy Specifications

CS 4803 Computer and Network Security

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Firewalls. Chien-Chung Shen

Computer and Network Security Exercise no. 4

GPRS / 3G Services: VPN solutions supported

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Cisco Which VPN Solution is Right for You?

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Virtual Private Network and Remote Access Setup

CSCE 465 Computer & Network Security

Cisco Configuring Commonly Used IP ACLs

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

IPsec Details 1 / 43. IPsec Details

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

A Practical Look at Network Address Translation. A Nokia Horizon Manager White Paper

Introduction to Computer Security

2. IP Networks, IP Hosts and IP Ports

OS/390 Firewall Technology Overview

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Securing IP Networks with Implementation of IPv6

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

LinkProof And VPN Load Balancing

Internet Security Firewalls

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

NETWORK SECURITY (W/LAB) Course Syllabus

Case Study for Layer 3 Authentication and Encryption

Overview - Using ADAMS With a Firewall

Laboratory Exercises V: IP Security Protocol (IPSec)

Computer Networks. Secure Systems

MPLS VPN in Cellular Mobile IPv6 Architectures(04##017)

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

IP address format: Dotted decimal notation:

Overview - Using ADAMS With a Firewall

- Introduction to Firewalls -

The VPNaaS Plugin for Fuel Documentation

Firewall Troubleshooting

VPN. Date: 4/15/2004 By: Heena Patel

This section provides a summary of using network location profiles to identify network connection types. Details include:

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Network Address Translation (NAT) Adapted from Tannenbaum s Computer Network Ch.5.6; computer.howstuffworks.com/nat1.htm; Comer s TCP/IP vol.1 Ch.

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Fireware Essentials Exam Study Guide

Micronet SP881. TheGreenBow IPSec VPN Client Configuration Guide.

SSL VPN Technology White Paper

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Network Address Translation (NAT)

Virtual Private Networks

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Firewalls, Tunnels, and Network Intrusion Detection

Insecure network services

Transcription:

21.4 Network Address Translation (NAT) This section explains Network Address Translation (NAT). NAT is also known as IP masquerading. It provides a mapping between internal IP addresses and officially assigned external addresses. Originally, NAT was suggested as a short-term solution to the problem of IP address depletion. Also, many organizations have, in the past, used locally assigned IP addresses, not expecting to require Internet connectivity. NAT is defined in RFC 3022. 21.4.1 NAT concept The idea of NAT is based on the fact that only a small number of the hosts in a private network are communicating outside of that network. If each host is assigned an IP address from the official IP address pool only when they need to communicate, then only a small number of official addresses are required. NAT might be a solution for networks that have private address ranges or unofficial addresses and want to communicate with hosts on the Internet. In fact, most of the time, this can also be achieved by implementing a firewall. Hence, clients that communicate with the Internet by using a proxy or SOCKS server do not expose their addresses to the Internet, so their addresses do not have to be translated anyway. However, for any reason, when proxy and SOCKS are not available, or do not meet specific requirements, NAT might be used to manage the traffic between the internal and external network without advertising the internal host addresses. Consider an internal network that is based on the private IP address space, and the users want to use an application protocol for which there is no application gateway; the only option is to establish IP-level connectivity between hosts in the internal network and hosts on the Internet. Since the routers in the Internet would not know how to route IP packets back to a private IP address, there is no point in sending IP packets with private IP addresses as source IP addresses through a router into the Internet. As shown in Figure 279, NAT takes the IP address of an outgoing packet and dynamically translates it to an officially assigned global address. For incoming packets it translates the assigned address to an internal address. 694 TCP/IP Tutorial and Technical Overview

NAT Configuration RESERVE a.b.2.0 255.255.255.0 TRANSLATE 10.0.0.0 255.0.0.0 TCP/UDP IP/ICMP Filtering Rules Based on non-translated IP addresses (10.x.x.x) NAT Filtering Non-secure a.b.1.0/24 10.0.0.0/8 Secure a.b.1.1 src=a.b.1.1 dest=a.b.2.1 src=a.b.1.1 dest=10.0.1.1 10.0.1.1 Figure 279. Network Address Translation (NAT) From the point of two hosts that exchange IP packets with each other, one in the secure network and one in the non-secure network, NAT looks like a standard IP router that forwards IP packets between two network interfaces (please see Figure 280). Non-Secure a.b.1.0/24 Looks like a normal router a.b.2.0/24 Secure a.b.1.1 src=a.b.1.1 dest=a.b.2.1 a.b.2.1 Figure 280. NAT seen from the non-secure network 21.4.2 Translation mechanism For each outgoing IP packet, the source address is checked by the NAT configuration rules. If a rule matches the source address, the address is translated to a global address from the address pool. The predefined address pool contains the addresses that NAT can use for translation. For each incoming packet, the destination address is checked if it is used by NAT. When this is true, the address is translated to the original internal address. Figure 281 shows the NAT configuration. Chapter 21. TCP/IP security 695

Reserve N Translate Pool To be translated A Map Exclude T Exclude Secure network Firewall Non-secure network Figure 281. NAT configuration If NAT translates an address for an IP packet, the checksum is also adjusted. For FTP packets, the task is even more difficult, because the packets can contain addresses in the data of the packet. For example, the FTP PORT command contains an IP address in ASCII. These addresses should also be translated correctly and checksum updates and even TCP sequence and acknowledgement updates should be made accordingly. NAT looks like a normal IP router to the systems which use it. In order to make the routing tables work, the IP network design should choose addresses as if connecting two or more IP networks or subnets through a router. The NAT IP addresses need to come from separate networks or subnets, and the addresses need to be unambiguous with respect to other networks or subnets in the non-secure network. If the non-secure network is the Internet, the NAT addresses need to come from a public network or subnet, in other words, the NAT addresses need to be assigned by IANA. The assigned addresses should be reserved in a pool, in order to use them when needed. If connections are established from the secure network, NAT can just pick the next free public address in the NAT pool and assign that to the requesting secure host. NAT keeps track of which internal IP addresses are mapped to which external IP addresses at any given point in time, so it will be able to map a response it receives from the external network into the corresponding secure IP address. 696 TCP/IP Tutorial and Technical Overview

When NAT assigns IP addresses on a demand basis, it needs to know when to return the external IP address to the pool of available IP addresses. There is no connection setup or tear-down at the IP level, so there is nothing in the IP protocol itself that NAT can use to determine when an association between a secure IP address and a NAT non-secure IP address is no longer needed. Since TCP is a connection-oriented protocol, it is possible to obtain the connection status information from TCP header (whether connection is ended or not), whereas UDP does not include such information. Therefore, a timeout value should be configured that instructs NAT how long to keep an association in an idle state before returning the external IP address to the free NAT pool. Generally, the default value for this parameter is 15 minutes. Network administrators also need to instruct NAT whether all the secure hosts are allowed to use NAT or not. This can be done by using corresponding configuration commands. If hosts in the non-secure network need to initiate connections to hosts in the secure network, NAT should be configured in advance as to which non-secure NAT address matches which secure IP address. Thus, a static mapping should be defined to allow connections from non-secure networks to a specific host in the internal network. The external name server may, for example, have an entry for a mail gateway that runs on a computer in the secure network. The external name server resolves the public host name of the internal mail gateway to the statically mapped IP address (the external address), and the remote mail server sends a connection request to this IP address. When that request comes to NAT on the non-secure interface, NAT looks into its mapping rules to see if it has a static mapping between the specified non-secure public IP address and a secure IP address. If so, it translates the IP address and forwards the IP packet into the secure network to the internal mail gateway. Please note that the non-secure NAT addresses as statically mapped to secure IP addresses should not overlap with the addresses specified as belonging to the pool of non-secure addresses NAT can use on a demand basis. 21.4.3 NAT limitations NAT works fine for IP addresses in the IP header. Some application protocols exchange IP address information in the application data part of an IP packet, and NAT will generally not be able to handle translation of IP addresses in the application protocol. Currently, most of the implementations handle the FTP protocol. It should be noted that implementation of NAT for specific applications that have IP information in the application data is more sophisticated than the standard NAT implementations. Chapter 21. TCP/IP security 697

Another important limitation of NAT is that NAT changes some of the address information in an IP packet. When end-to-end IPsec authentication is used, a packet whose address has been changed will always fail its integrity check under the AH protocol, since any change to any bit in the datagram will invalidate the integrity check value that was generated by the source. Since IPsec protocols offer some solutions to the addressing issues that were previously handled by NAT, there is no need for NAT when all hosts that compose a given virtual private network use globally unique (public) IP addresses. Address hiding can be achieved by IPsec's tunnel mode. If a company uses private addresses within its intranet, IPsec's tunnel mode can keep them from ever appearing in cleartext from in the public Internet, which eliminates the need for NAT. (Please see 21.5, The IP security architecture (IPsec) on page 698 and 21.11, Virtual private networks (VPN) overview on page 755 for details about IPsec and VPN.) 21.5 The IP security architecture (IPsec) This section examines, in detail, the IPsec framework and its three main components, Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE). The header formats, the specific cryptographic features and the different modes of application are discussed. IPsec adds integrity checking, authentication, encryption and replay protection to IP packets. It is used for end-to-end security and also for creating secure tunnels between gateways. IPsec was designed for interoperability. When correctly implemented, it does not affect networks and hosts that do not support it. IPsec is independent of the current cryptographic algorithms; it can accommodate new ones as they become available. It works both with IPv4 and IPv6. In fact, IPsec is a mandatory component of IPv6. IPsec uses state-of-the-art cryptographic algorithms. The specific implementation of an algorithm for use by an IPsec protocol is often called a transform. For example, the DES algorithm used by ESP is called the ESP DES-CBC transform. The transforms, like the protocols, are published in the RFCs. 21.5.1 Concepts Two major IPsec concepts should be clarified: Security Associations and tunneling. These concepts are described in the following sections. 698 TCP/IP Tutorial and Technical Overview

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information