1_NAT_ALG_and_Firewall.ppt

33

TAGS:

Transcript of 1_NAT_ALG_and_Firewall.ppt

Page 1: 1_NAT_ALG_and_Firewall.ppt
Page 2: 1_NAT_ALG_and_Firewall.ppt

ConnectivityNA(P)T

Page 3: 1_NAT_ALG_and_Firewall.ppt

3

Thomson Gateway NAT

>NAT: Network Address Translation ("IP Masquerading")

>NAPT: Network Address and Port Translation

Page 4: 1_NAT_ALG_and_Firewall.ppt

4

Definition

>NAT: Maps IP addresses from one address realm to other Provides transparent routing (disparate address realms)

>Characteristics: Transparent address assignment Transparent routing through address translation ICMP error packet payload translation

Page 5: 1_NAT_ALG_and_Firewall.ppt

5

Necessity

> IPv4: 32 bits

>Private networks 10.0.0.0, 172.16.0.0, 192.168.0.0

WAN

10.0.0.1

10.0.0.2

10.0.0.3

10.0.0.x 150.15.10.8

LAN: inside IP addresses WAN: outside IP addresses

Page 6: 1_NAT_ALG_and_Firewall.ppt

6

Example

[IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [S.....][UT] eth0->pppoe0 : 50.50.1.1 100.0.1.1 0076 TCP 49125->50000 [S.....]

[IN] pppoe0-> : 100.0.1.1 50.50.1.1 0076 TCP 50000->49125 [S.A...][UT] pppoe0->eth0 : 100.0.1.1 40.0.1.1 0076 TCP 50000->10000 [S.A...]

[IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [..A...][UT] eth0->pppoe0 : 50.50.1.1 100.0.1.1 0076 TCP 49125->50000 [..A...]

[nat]=>maplistIdx Type Interface Outside Address Inside Address Use 1 NAPT pppoe0 50.50.1.1 40.0.1.1 1

40.0.1.1

PPPoE Server

100.0.1.1

Packetflow

Session flow

Address binding

NAPT: extension of NAT

Page 7: 1_NAT_ALG_and_Firewall.ppt

7

Static vs. Dynamic NAT

>Static Address Assignment → Static NAT One-to-one address mapping Fixed in time

>Dynamic Address Assignment → Dynamic NAT Based on usage requirements and session flow Binding used and re-used

Page 8: 1_NAT_ALG_and_Firewall.ppt

8

Basic NAT

>Block external addresses set aside for translation

>For sessions originating in private domain

>Example Static

Idx Type Interface Outside Address Inside Address

1 NAT ipoa0 50.0.0.138 unmapped

Access List................... 10.0.0.10 Foreign Address............... any

Protocol...................... any

Flags......................... Static Description................... Outbound Basic NAT

Page 9: 1_NAT_ALG_and_Firewall.ppt

9

When to Use Basic NAT

> Inside address not routable on outside network

>Hiding inside addresses from outside world

>Avoid network renumbering when changing service provider

Page 10: 1_NAT_ALG_and_Firewall.ppt

10

NAPT

>Extension: translation of transport identifiersTCP, UDP: port numbers ICMP: query identifiers

>Allows sharing single external addressIdx Type Interface Outside Address Inside Address Use

1 NAPT ipoa0 50.0.0.138 unmapped 2

Access List................... 40.0.0.0/16

Foreign Address............... any

Protocol...................... any

Flags......................... Static

Description................... Outbound NAPT without defserver

Page 11: 1_NAT_ALG_and_Firewall.ppt

11

NAPT – Continued

NAPT uses ports from range [49125 - 65536]

[IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [S.....][UT] eth0->ipoa0 : 50.0.1.138 100.0.1.1 0076 TCP 49125->50000 [S.....][IN] ipoa0-> : 100.0.1.1 50.0.1.138 0076 TCP 50000->49125 [S.A...][UT] ipoa0->eth0 : 100.0.1.1 40.0.1.1 0076 TCP 50000->10000 [S.A...][IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [..A...][UT] eth0->ipoa0 : 50.0.1.138 100.0.1.1 0076 TCP 49125->50000 [..A...]

[IN] eth0-> : 40.0.1.2 100.0.1.1 0076 TCP 10001->50000 [S.....][UT] eth0->ipoa0 : 50.0.1.138 100.0.1.1 0076 TCP 49126->50000 [S.....][IN] ipoa0-> : 100.0.1.1 50.0.1.138 0076 TCP 50000->49126 [S.A...][UT] ipoa0->eth0 : 100.0.1.1 40.0.1.2 0076 TCP 50000->10001 [S.A...][IN] eth0-> : 40.0.1.2 100.0.1.1 0076 TCP 10001->50000 [..A...][UT] eth0->ipoa0 : 50.0.1.138 100.0.1.1 0076 TCP 49126->50000 [..A...]

Page 12: 1_NAT_ALG_and_Firewall.ppt

12

When to Use NAPT

>Multiple private hosts accessing public network through same gateway

>Link specific traffic to private host

>Redirect all unknown incoming traffic to chosen private host

Page 13: 1_NAT_ALG_and_Firewall.ppt

13

Two-Way NAT

> Sessions can be initiated from host both in public as in private network

> Used to make private servers available on Internet> Examples:

StaticIdx Type Interface Outside Address Inside Address Use

1 NAT pppoe0 50.0.0.138 40.0.1.1 0 Access List................... 40.0.1.1 Foreign Address............... any Protocol...................... any Flags......................... Static Description................... Two-way NAT

[IN]pppoe0-> : 100.0.1.1 50.0.0.138 0076 TCP 50000->10000 [S.....][UT]pppoe0->eth0 : 100.0.1.1 40.0.1.1 0076 TCP 50000->10000 [S.....][IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [S.A...][UT] eth0->pppoe0 : 50.0.0.138 100.0.1.1 0076 TCP 10000->50000 [S.A...]

Page 14: 1_NAT_ALG_and_Firewall.ppt

14

Connection SharingHyperNAT – IP Passthrough

>Allow public IP address to be used on LAN “Default server” IPSeC-AH client Any NAT issues …

>While preserving NAPT access for other PCs UPnP v1.0 All known alg’s : IPsec, pptp/l2tp, sip, …

>Public IP address assigned to PC manually or via DHCP continued 1-1 NAT routing during WAN IP address change event

> Compatible with dial-on-demand !

192.168.1.64

192.168.1.65

a.b.c.dPublic IP Address

a.b.c.d

WAN side Address

Page 15: 1_NAT_ALG_and_Firewall.ppt

15

Connection SharingHyperNAT – IP Passthrough

192.168.1.x

a.b.c.dIP Public

49k

65k

1

49k

65k

149k

65k

1

a.b.c.dIP Public

“Default Server”

Service/Portmaps

Page 16: 1_NAT_ALG_and_Firewall.ppt

Connectivity – NAT ALGs

Page 17: 1_NAT_ALG_and_Firewall.ppt

17

Definition

ALG = Application Level Gateway Translates addresses and ports NAT engine cannot

handle “Opens firewall” Creates NAT mappings

Page 18: 1_NAT_ALG_and_Firewall.ppt

18

ALG Intervention Level

  OSI Layer TCP/IP Network node

7 Application HTTPFTPSMTPSNMPTelnet

gateway

6 Presentation  

5 Session  

4 Transport TCPUDP

 

3 Network IP Router

2 Data-link (MAC) SLIPPPP

Bridge

1 Physical   repeaterUTP-kabel

NAPT

ALG

Page 19: 1_NAT_ALG_and_Firewall.ppt

19

ALGs Real Actions

>Create connection

>Delete connection

>Search connection

>Packet modification

>Add NAT mapping

>Remove NAT mapping

Page 20: 1_NAT_ALG_and_Firewall.ppt

20

Supported ALGs

> IP6to4

>PPTP (VPN)

>ESP (IPSec)

> IKE (IPSec)

>SIP (VoIP)

>JABBER

>CU/SeeMe

>RAUDIO>RTSP> ILS (NetMeeting

phonebook)>H245 (NetMeeting)>H323 (NetMeeting)> IRC>FTP

Page 21: 1_NAT_ALG_and_Firewall.ppt

21

ALGs Triggering

Each ALG is bound to (range of) port(s)

{Administrator}[connection]=>applist Application Proto DefaultPort Traces Timeout IP6TO4 6to4 0 enabled unavailable PPTP tcp 1723 enabled unavailable ESP esp 0 unavailable 15' 0" IKE udp 500 disabled 15' 0"SIP udp 5060 disabled 6 0"JABBER tcp 5222 disabled 2' 0" CU/SeeMe udp 7648 enabled unavailable RAUDIO(PNA) tcp 7070 enabled unavailable RTSP tcp 554 enabled unavailable ILS tcp 389 unavailable 5' 0" H245 tcp 0 unavailable 5' 0" H323 tcp 1720 enabled unavailable IRC tcp 6667 enabled 5' 0" LOOSE(UDP) udp 0 enabled 5' 0" FTP tcp 21 enabled unavailable

Available ALGs:

Page 22: 1_NAT_ALG_and_Firewall.ppt

22

FTP ALG

No firewall opening needed

Firewall must accept incoming connection on port 1027, coming from port 2024 → inbound port shift mapping must be present

LAN WAN

Tests:• Inbound vs. outbound• One vs. multiple LAN

clients• One vs. multiple WAN

servers• LAN server

Page 23: 1_NAT_ALG_and_Firewall.ppt

Managed Security Service Firewall

Page 24: 1_NAT_ALG_and_Firewall.ppt

24

Managed Security Service Firewall - Overview

>Firewall has 2 functions Protect ST Gateway from

unwanted management access Police traffic LAN to WAN and vice

versa

>Mapped on 2 Fwall services Firewall (fwd)

> GUI/CLI

ServiceManager (sink/src)> CLI

Page 25: 1_NAT_ALG_and_Firewall.ppt

25

Managed Security Service Firewall - Default Policies

Edit Level

Page 26: 1_NAT_ALG_and_Firewall.ppt

26

Stateful firewall CLI configuration

>General configuration :firewall config

state Tcpchecks Udpchecks Icmpchecks

Page 27: 1_NAT_ALG_and_Firewall.ppt

27

Stateful firewall CLI configuration

>Firewall menu Chain

>Incoming data is ‘intercepted’ at packet interception points with chains attached to them

>List : shows available chains>Sink and source chains manages data sent/received to/from CPE

‘host’. >Sink/source traffic controlled by hostmanager

Rule>Every chain can have a set of rules, each with an index.>Lowest index rules are executed first

Page 28: 1_NAT_ALG_and_Firewall.ppt

28

Data Flow overview

Service MANAGER

HOST SERVICESSYSTEM SERVICES

Manual firewall rules

Page 29: 1_NAT_ALG_and_Firewall.ppt

29

Firewall levels

>Only related to forward chain !

Page 30: 1_NAT_ALG_and_Firewall.ppt

30

Firewall rules

>Rules are linked to chains.>Main actions : drop, accept, deny, count>Classification criteria

Source and destination interface Source and destination IP Service :

>Services from the :expr menu>Manual expressions can be created>Classifiers :

• Tos, precedence, proto, dscp• Source/destination port ranges

Page 31: 1_NAT_ALG_and_Firewall.ppt

31

Firewall rules

>Example with level=disabled

Page 32: 1_NAT_ALG_and_Firewall.ppt

32

Firewall level

>Different levels according ICSA specification

>Set, check level : Firewall level set

Page 33: 1_NAT_ALG_and_Firewall.ppt

33

Hands on - Firewall

> Create a rule which drops http forwarding if the level of the firewall is set to Standard.

:firewall level set … :firewall rule add

> chain forward_level> …

> Create a rule which drops ftp to the CPE. :firewall rule add

> chain sink> …

> Create a rule which denies udp with dest port 666 initiated from the CPE :expr add

> type serv> …

:firewall rule add > chain source> …

ip debug sendto addr=192.168.2.1 dstport=666


The Last Carnival I Ever Saw

The Last Carnival I Ever Saw

Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Fortran

Fortran

Do you admire Leonardo da Vinci?

Do you admire Leonardo da Vinci?

Simple Functions in Haskell

Simple Functions in Haskell

(Tesla) - The Tesla Magnetic Car Engine

(Tesla) - The Tesla Magnetic Car Engine

How Computer Monitors Work

How Computer Monitors Work

How Computer Keyboards Work

How Computer Keyboards Work

Star Wars Trivia!

Star Wars Trivia!

Who Killed God

Who Killed God

Plato - Symposium

Plato - Symposium

One Flew Over the Cuckoo's Nest

One Flew Over the Cuckoo's Nest

Steve Jobs' Commencement Speech at Stanford

Steve Jobs' Commencement Speech at Stanford

Aesops Fables

Aesops Fables

Keyboard Shortcuts for the Opera Browser for Mac OS X

Keyboard Shortcuts for the Opera Browser for Mac OS X

18 Tricks to Teach Your Body

18 Tricks to Teach Your Body

European Colinization of Latin America

European Colinization of Latin America

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Basic Buffer Overflows Explained

Basic Buffer Overflows Explained

Daniel Zanella and Alexander Weygers

Daniel Zanella and Alexander Weygers