Professional Documents
Culture Documents
Firewalls and Network Address Translation (NAT)
Firewalls and Network Address Translation (NAT)
Firewalls and Network Address Translation (NAT)
1
Highlights
Firewalls:
To protect against attacks
Two types
Proxy firewalls
Packet-filtering firewalls
NAT:
To address diminishing pool of IP addresses
Popularity of both have surged due to different reasons
2
Packet-filters
popular filters involve
undesired IP addresses or options
types of ICMP messages
various UDP or TCP services, based on the port numbers
contained in each packet
3
Typical Packet-filtering configuration
A typical packet-filtering firewall configuration. The firewall acts as an IP router between an “inside”
and an “outside” network, and sometimes a third “DMZ” or extranet network, allowing only certain
traffic to pass through it. A common configuration allows all traffic to pass from inside to outside but
only a small subset of traffic to pass in the reverse direction. When a DMZ is used, only certain
services are permitted to be accessed from the Internet.
4
Protocol Operation
The proxy firewall acts as a multihomed Internet host, terminating TCP connections and UDP
associations at the application layer. It does not act as a conventional IP router but rather as an
ALG (Application Layer Gateway). Individual applications or proxies for each service supported
must be enabled for communication to take place through the proxy firewall.
5
Proxy Firewall
Quite secure
Brittle and lack of flexibility
New apps must have corresponding proxy
Apps must have mechanisms to discover proxy
6
Types of Proxy Firewall
HTTP proxy firewalls
SOCKs firewalls
More generic than HTTP proxy
Version 4: basic support
Version 5: adds authentication, UDP traversal, and IPv6
addressing
Application must be socksified: rewritten to use SOCKS
The client uses the SOCKS protocol to request the proxy to
perform network connections, and optionally, DNS lookups
7
NAT: network address translation
10.0.0.4
10.0.0.2
138.76.29.7
10.0.0.3
9
NAT: network address translation
implementation: NAT router must:
10
NAT: network address translation
NAT translation table 1: host 10.0.0.1
2: NAT router WAN side addr LAN side addr
changes datagram sends datagram to
source addr from 138.76.29.7, 5001 10.0.0.1, 3345 128.119.40.186, 80
10.0.0.1, 3345 to …… ……
138.76.29.7, 5001,
updates table S: 10.0.0.1, 3345
D: 128.119.40.186, 80
10.0.0.1
1
S: 138.76.29.7, 5001
2 D: 128.119.40.186, 80 10.0.0.4
10.0.0.2
138.76.29.7 S: 128.119.40.186, 80
D: 10.0.0.1, 3345
4
S: 128.119.40.186, 80
D: 138.76.29.7, 5001 3 10.0.0.3
4: NAT router
3: reply arrives changes datagram
dest. address: dest addr from
138.76.29.7, 5001 138.76.29.7, 5001 to 10.0.0.1, 3345
11
NAT: network address translation
16-bit port-number field:
65,000+ simultaneous connections with a single LAN-side
address!
NAT is controversial:
routers should only process up to layer 3
violates end-to-end argument
NAT possibility must be taken into account by app designers, e.g., P2P
applications
address shortage should instead be solved by IPv6
12
NAT traversal problem
4-13
NAT traversal problem
solution 2: Universal Plug and Play
(UPnP) Internet Gateway Device
10.0.0.1
(IGD) Protocol. Allows NATed host
to: IGD
learn public IP address
(138.76.29.7)
NAT
add/remove port mappings (with
router
lease times)
4-14
NAT traversal problem
2. connection to
relay initiated 1. connection to 10.0.0.1
by client relay initiated
by NATed host
3. relaying
client established
138.76.29.7 NAT
router
4-15
Drawbacks of NAT
Privately addressed systems are not reachable from outside
Runs counter to the fundamental tenet of the Internet
Protocols: the “smart edge” and “dumb middle”
Modifying transport header requires recomputing transport
layer checksum
16
An Example
A NAT isolates private addresses and the systems using them from the Internet.
Packets with private addresses are not routed by the Internet directly but instead
must be translated as they enter and leave the private network through the NAT
router. Internet hosts see traffic as coming from a public IP address of the NAT.
17
NAT
Traditional NAT (just referred to as NAT in the text):
Basic NAT: rewrite IP address only (not popular)
NAPT: Network Address Port Translation
18
Basic NAT and NAPT
A basic IPv4 NAT (left) rewrites IP addresses from a pool of addresses and leaves port
numbers unchanged. NAPT (right), also known as IP masquerading, usually rewrites
address to a single address. NAPT must sometimes rewrite port numbers in order to
avoid collisions. In this case, the second instance of port number 23479 was rewritten to
use port number 3000 so that returning traffic for 192.168.1.2 could be distinguished
from the traffic returning to 192.168.1.35
19
Security via NAT
blocks almost all incoming new connection requests
inhibits “probing” attacks that attempt to ascertain which IP
addresses have active hosts available to exploit
NAT (especially NAPT) “hides” the number and
configuration of internal addresses from the outside.
20
NAT and TCP
Observe the packet flow (RST, SYN, FIN, ACK) etc.
Use TCP state diagram and run appropriate timers to
estimate if the connection state needs to be maintained or
not
Need to account for
Keepalive timers: 2 hours
Max idle time during setup/teardown: 4 mins
21
NAT and UDP
No special packets (SYN, FIN, RST etc.)
22
NAT and ICMP
Error Messages
Usually contain a copy of the packet which has IP header with
IP addresses (may need to be changed as well)
Informational messages
Usually of query/response type
Query ID can be used like the port number
23
NAT and tunneled Packets
Need to rewrite header of tunneled packets
24
NAT and Multicast
Outside to Inside
No modification to dest IP and port
Inside to Outside
Modify source IP and port as usual
25
Address & Port Translation Behavior
26
Translation and Filtering
X1 is connecting to
external address of X2
A NAT that implements hairpinning or NAT loopback allows a client to reach a server on the
same side of the NAT using the server’s external IP address and port numbers. That is, X1 can
reach X2:x2 using the addressing information X2′:x2′.
28
NAT Editors
What if application layer payload contains IP address and port
numbers?
FTP
30
Hole Punching
A method that allows multiple devices, each behind NAT to
communicate directly using pinholes
31
Does Hole Punching Work?
Suppose A and B both connect with server S1 and exchange their external
IP addresses (192.168.0.254 and 203.0.113.100)
S1 sends the other clients information to each client
Can A and B connect directy?
Yes, if the NATs are endpoint-independent
32 No, if the NATs are address dependent OR address and port dependent
UNSAF
Unilateral Self-Address Fixing
Client/Server based
Query server to find my external address
33
Session Traversal Utilities for NAT
(STUN)
A standardized mechanism for realizing the UNSAF concept
34
TURN (Traversal Using Relays around NAT)
Used as a last resort if two systems are unable to
communicate directly
E.g., due to address or port dependent NAT bindings
It is an extension of STUN
35
TURN (Traversal Using Relays around NAT)
36
ICE (Interactive Connectivity Establishment)
Generic technique to help applications behind NAT establish
connectivity
Uses TURN to obtain candidate transport addresses that each
agent may use
ICE orders the list of pairs of addresses and sends to peer
agent
Peer agent performs a similar task
A set of checks are performed to determine the best pair to
use (all pairs may be checked)
37
Configuring Packet-Filtering Firewalls
EXTIF="ext0"
INTIF="eth0"
LOOPBACK_INTERFACE="lo"
ALL="0.0.0.0/0" # matches all
39
NAT Rules: A Linux Example
EXTIF="ext0"
echo "Default FORWARD policy: DROP"
iptables -P FORWARD DROP
40