NAT

NAT stands for Network Address

translation which is used to translate
the Private IP addresses to Public IP
addresses.
It Provides a type of firewall by hiding
internal IP addresses
It also Enables a company to use more
internal IP addresses. Since they're
used internally only, there's no
possibility of conflict with IP addresses

Types of Checkpoint Supported

NAT
Types of NAT:
Static NAT
- Performs one to one mapping
- Connections can originate from both sides of
a Security Gateway, so that internal servers
are accessible from external sources.
- Generally used for external to Internal
access of the Servers sitting in the DMZ
zone
Eg: SMTP, FTP, WWW

Hide NAT
Hide Networks behind a Single IP
It perfomrs One to Many authentication based
on dynamically assigned ports
Maps all specified internal addresses to a single
public IP address, thus hiding the internal IP
structure from external sources. Connections
can originate only from the internal, protected
side of a Security Gateway. Internal resources
are not accessible by external sources.

 In the Hide NAT mode, source port numbers

of all packets are modified. When return
packets enter a firewall, the Security
Gateway uses the port number to determine
which internal machines the packets
aredestined for. Port numbers are
dynamically assigned from two pools of
numbers: 600 to 1023 and 10,000 to
60,000.
Port numbers are normally assigned from
the second pool. The first pool is used for
only three services:

 The Security Gateway keeps track of all port

numbers assigned, so that the original port
number is correctly restored for return
packets and a port number that is currently in
use is not assigned again to a new
connection.
Hide NAT supports a maximum 50,000
connections per server. This capacity limit is
only reached if more than 50,000 connections
from Hide NATed internal clients are
simultaneously directed at a single server on
the unprotected side of the Security Gateway
a highly unlikely scenario.

 The Hide Address is the address behind

which the internal network, address
range or node is hidden. You can opt to
hide the internal address(es) either:

- Behind a virtual IP address, which is a

routable, public IP address that does
not belong to any physical machine, or
- Behind the IP address of the Security
Gateway interface through which the
packet is routed.

Automatic and Manual NAT

Rules

NAT can be defined automatically through the network

object (node, network or address range). When youdefine
NAT this way, rules are automatically added to the NAT
Rule Base.
You can manually specify NAT rules by adding or editing
NAT rules in the NAT Rule Base. The firewall validates
manual NAT rules, helping to avoid mistakes in the setup
process. Creating manual NAT Rules gives maximum
control over the way NAT functions. You can specify the
source, destination and service separately for both the
original and the translated packet.
When creating Manual NAT rules, you must define the
translated network objects in addition to the original
objects.

Automatically Generated
Rules

NAT can be defined automatically through a network

object (node, network or address range), with rules
added automatically to the NAT Rule Base.
- Hide NAT on a node adds one rule to the NAT Rule
Base. It specifies that the source address of the packet
is translated for connections originating from the node
in the internal network (Source Hide Rule).
- Static NAT on a node adds two rules to the NAT Rule
Base. In addition to the Source Hide rule, another rule
specifies that for connections originating from the
external network, the Destination address of the
packet is translated (Destination Static Rule).

Application Control
The use of internet applications comes with problems that
administrators must know about:
Malware threats - Application use can open networks to
threats from malware. Popular applications like Twitter,
Facebook, and YouTube can cause users to download
viruses unintentionally. File sharing can easily cause
malware to be downloaded into your network.
Bandwidth hogging - Applications that use a lot of
bandwidth, for example, streaming media, can limit the
bandwidth that is available for important business
applications.
Loss of Productivity - Employees can spend time on social
networking and other applications that can seriously
decrease business productivity.

Main features of Application Control

Software Blade:

Granular Application Control Identify, allow, or block

thousands of applications and internet sites. This
provides protection against the increasing threat
vectors and malware introduced by internet
applications and sites.
Largest application library with AppWiki
Comprehensive application control that uses the
industrys largest application library. It scans for and
detects more than 4,500 applications and more than
100,000 Web 2.0 widgets and categories.
Central Management Lets you centrally manage
security policies for Application Control and URL
Filtering from one user-friendly console for easy
administration.