16.4.0 192.168.200.0PROTECTING PUBLIC SERVERS CONNECTED TO THE INT...

Question

172.16.4.0 192.168.200.0Protecting Public Servers Connected to the InternetOur focus now turns to protecting a public server on the Internet. Eventhough the term is “public server,” that doesn’t imply that it has publicaccess. You want to allow access only to particular applications on theserver and ensure that nothing else is susceptible to a hacker.Here we have serial interface 0 on our router connected to the Internet,and Ethernet interface 0 connected to our internal network. We need topermit our internal users to access the Internet for Web browsing, e-mail,and FTP. We also want to know how much FTP traffic is in use. Theinternal users need to be able to ping and trace route to hosts on theInternet for troubleshooting purposes. We have no internal servers, so allservices are provided by the ISP. (Please refer back to Figure 2.10 for anillustration this situation.) Our access list may look as follows:ip inspect alert-offip inspect name protector ftp audit-trail onip inspect name protector smtpTraffic Filtering on the Cisco IOS • Chapter 2 97ip inspect name protector udpip inspect name protector tcpinterface Ethernet 0ip address 172..22.14.1 255.255.255.0ip access-group 111 ininterface serial 0ip address 12.1.1.1 255.255.255.252ip inspect protector outip access-group 112 inip access-list 1 permit 209.12.12.0 0.0.0.255ip access-list 111 permit ip any anyip access-list 112 permit icmp any any echo-replyip access-list 112 permit icmp any any time-exceededip access-list 112 permit icmp any any unreachableHere we have used a context-based access control access list. We wouldlike to know how much FTP traffic is in use so the audit trail was enabled.We also defined the protocols we want to inspect with CBAC. Users will havethe ability to ping and trace routes for troubleshooting purposes.SummaryA standard IP access list filters on source IP addresses only. With extendedaccess lists, we have the capability of filtering on source and destinationaddresses along with specific protocols, source, and destination ports. Whenusing named access lists, we create access lists by name instead of number.Lock-and-key access lists offer our first look at enhanced access-listcapability. Lock-and-key are also known as dynamic access lists thatcreate dynamic entries. Traditional access lists do not offer this capability.Remember that with a traditional access list, the entry remains until youdelete it manually. Dynamic access lists create a temporary, specificopening in an access list after a user is authenticated.Reflexive access lists automatically create and delete temporary accesslist entries that will allow traffic associated with an IP session. This offers astronger control over what traffic is allowed into a network.CBAC can be used with multiple applications and provides a higher levelof security than a traditional access list. Here we create dynamic openings inan inbound access list in response to an outbound data connection. Trafficis permitted from untrusted networks to our internal network only whentraffic is part of a session that was initiated from the internal network.https://traloihay.netFAQsQ: You have created your access list, and there seems to be no effect ontraffic entering or exiting the router. What could be the problem?A: After creating the access list globally on the router, you must rememberto apply the access list to an interface and give a direction, inbound oroutbound. The default direction for access lists is outbound.Q: After applying an access list on your enterprise router, there has been adrastic decrease in throughput. What could be a potential problemhere?A: First, recall how an access list works. An access list utilizes “top-down”processing when testing traffic. Typically on an enterprise router, anaccess list can get quite lengthy. A problem here could be that themajority of your traffic is permitted or denied near the end of theaccess list. When creating an access list, it is important to test themajority of your traffic first.Q: A customer wants you to configure an access list that has an openingonly when a user establishes an outbound Telnet session. What type ofaccess list could apply here?A: A reflexive access list would be a good choice. When using reflexiveaccess lists, an entry is created enabling inbound return traffic.Chapter 3Network AddressTranslation (NAT)Solutions in this chapter:■ NAT and NAPT■ Deploying NAT and NAPT in a Network■ Configuring NAT on Cisco IOS■ Examples■ Considerations on NAT and NAPT99IntroductionIn today’s world of Enterprise networks, one of the major problems facingIT professionals is the rapidly depleting supply of legal network addresses.Measures have been taken to slow the rate at which IP addresses are beingallocated; such measures include Classless Inter-Domain Routing (CIDR),Network Address Translation (NAT), and Network Address Port Translation(NAPT or PAT). This chapter will discuss NAT and NAPT and how they cancontribute to a security policy, implications of NAT, and considerationswhen implementing NAT.NAT is a mechanism that can be used to translate the IP addressesinside IP packets. The mechanism is commonly used today to allow a siteusing private IP addresses to acheive connectivity the Internet. NAT oper-ates on a device, usually connecting two networks together, allowing themto communicate. Typically one network uses RFC1918 IP addresses, whichwill be translated into globally unique IP addresses. Other scenarios inwhich NAT can be utilized will be discussed later in this chapter. NAT by itself is not a security measure, and should not be implementedin such a fashion. A common misconception is that NAT will allow a com-pany to “hide” your internal network. That can be an added security ben-efit, but you should not rely on it as the only security measure. A networkusing private IP address space is not reachable from the Internet becausethe Internet routing tables cannot contain such private IP addresses. Ifrouting between the company and the ISP is not done properly, a route tothe company may be leaked throughout the ISP, possibly exposing thecompany’s network to the public.NAT OverviewIn today’s world of technology, different vendors have implementedNetwork Address Translation in their devices. Because there are so manyvendors, dealing with devices from multiple vendors can be confusing.Terms used in one vendor’s documentation may be used differently inanother vendor’s documentation. This section will introduce and clarifyterms used in Network Address Translation using the document RFC2663“IP Network Address Translator (NAT) Terminology and Considerations” asa reference.Overview of NAT DevicesGenerally, NAT is used when a company’s internal addresses are not glob-ally unique and thus cannot be routed on the Internet (for example, usingRFC1918 private addresses), or because two separate networks that needto communicate are using an overlapping IP address space.Network Address Translation (NAT) • Chapter 3 101NAT allows (in most cases) hosts in a private network (inside network)to transparently communicate with destination hosts (outside network) ina global or public network. This is achieved by modifying the sourceaddress portion of an IP packet as it traverses the NAT device. The NATdevice will keep track of each translation (conversation) between the sourcehost (inside network) and destination host (outside network), and viceversa. This means that NAT is a stateful device.Throughout this chapter and in Cisco documentation, the networks willbe described and referred to as being either an inside network or outsidenetwork. An inside network is the set of networks that are subject to trans-lation; all other networks are considered outside networks.One of the variations of NAT is Network Address Port Translation(NAPT). Cisco documentation refers to NAPT as Port Address Translation(PAT). Both of these terms mean the same thing, which will be discussedlater in this chapter. This solution works only if the application does not rely on an IPaddress in the data portion of the packet for functionality. In these cases,Application Layer Gateways included inside the NAT (discussed later) maybe needed to assist a NAT device.The following is a series of terms and their descriptions used whenreferring to NAT. Keep in mind that different vendors may refer to theseterms in varying contexts.Address RealmAn address realm is a network in which the network addresses (IPaddresses) are uniquely assigned to hosts such that traffic can be routedto them. Routing protocols used within the network are responsible forrouting traffic to the destination network. Often referred to as inside andoutside networks, address realms help define zones that are separated andneed to communicate with each other. For example, a company’s internalnetworks can be considered as one address realm. This realm is under asingle administrative authority, which needs to communicate with net-works outside of its authority. These outside networks, which could be theInternet or another company’s network, are also considered an addressrealm. The definition of realm will vary depending on the context in whichit is used. NATThe basic configuration of NAT operates on a device that connects two net-works together; one of these networks (designated as inside) is addressedwith either private RFC1918 or other addresses that need to be convertedinto legal addresses before packets are forwarded to their destination net-work (designated as outside). NAT is a method by which IP addresses are mapped from one addressrealm to another. This type of translation provides transparent routingfrom host to host. There are many variations of address translation thatassist in translating different applications; however, all NAT implementa-tions on various devices should share the following characteristics:■ Transparent address assignment■ Transparent routing through address translation (routing refers toforwarding packets and not exchanging routing information)■ ICMP error packet data translationTransparent Address AssignmentNAT translates addresses from an inside network to addresses in an out-side network and vice versa. This provides transparent routing for thetraffic traversing between both networks. The translation in some casesmay extend to transport-level identifiers such as TCP/UDP ports. Addresstranslation is done at the start of a session; the following describes twotypes of address assignment:Static Address Assignment Static address assignment is a one-to-oneaddress mapping for hosts between an inside network and an outside net-work for the duration of the NAT session. Static address assignmentensures that the translation table is static and not dynamic. Using staticaddress assignment, your internal host is visible from the outside networksince it is always assigned the same global IP address. This can be usefulfor some applications, but care must also be taken to secure that machine.TIPThink of static address assignment as a static IP address that has beenassigned by an administrator to a host. This IP address will never changeunless administrators do so themselves. Dynamic address assignment canbe compared to a DHCP server, which dynamically assigns IP address (aswell as other information) to hosts. DHCP IP address assignment is basedon a lease time, which can also be compared to the duration of a NATtranslation. Once the lease expires, that IP address may be assigned toanother host. Once a dynamic NAT translation to a global IP address isno longer needed, it can be used to translate another inside host to thatglobal IP address.Network Address Translation (NAT) • Chapter 3 103Dynamic Address Assignment Dynamic address assignment is the pro-cess in which hosts are translated by the NAT device dynamically based onusage requirements. Once a NAT is no longer being used, it is terminated.NAT would then free that translation so the global address could be usedin another translation. Transparent RoutingTransparent routing refers to routing traffic between separate addressrealms (inside network to outside network) by modifying address contentsin the IP header so that they will be valid in the address realm into whichthe traffic is routed. A NAT device is placed at the border between twoaddress realms and translates addresses in IP headers so that when thepacket leaves one realm and enters another, it can be routed properly. Typically there are three phases to address translation:Address Binding Address binding is the phase in which an inside IPaddress is associated with an outside address, or vice versa. This assumesthat dynamic NAT is being used and not static NAT. Address binding isfixed with a pool of static addresses to be assigned. These addresses aredynamically assigned on a per-session basis. For example, whenever ahost on the inside network must reach another host on the outside net-work, it will begin a session with that host. A translation will occur on theNAT device associating a global IP address on the outside network with theIP address of the host on the inside network. Once a session is created, alltraffic originating from the same inside host will use the same translation.The start of each new session will result in the creation of a new transla-tion. A NAT device will support many simultaneous sessions; consult thevendor’s documentation for specific information.Address Lookup and Translation Once a translation is established for asession, all packets belonging to the session will be subject to addresslookup and translation. Address Unbinding Address unbinding is the phase in which an insidehost IP address is no longer associated with a global address. NAT will per-form address unbinding when it believes the last session using an addressbinding has terminated. An example of transparent routing is when a company’s inside networkuses the subnet 192.168.1.0/24, and the outside network uses the subnet

Answer

172.16.4.0 192.168.200.0Protecting Public Servers Connected to the InternetOur focus now turns to protecting a public server on the Internet. Eventhough the term is “public server,” that doesn’t imply that it has publicaccess. You want to allow access only to particular applications on theserver and ensure that nothing else is susceptible to a hacker.Here we have serial interface 0 on our router connected to the Internet,and Ethernet interface 0 connected to our internal network. We need topermit our internal users to access the Internet for Web browsing, e-mail,and FTP. We also want to know how much FTP traffic is in use. Theinternal users need to be able to ping and trace route to hosts on theInternet for troubleshooting purposes. We have no internal servers, so allservices are provided by the ISP. (Please refer back to Figure 2.10 for anillustration this situation.) Our access list may look as follows:ip inspect alert-offip inspect name protector ftp audit-trail onip inspect name protector smtpTraffic Filtering on the Cisco IOS • Chapter 2 97ip inspect name protector udpip inspect name protector tcpinterface Ethernet 0ip address 172..22.14.1 255.255.255.0ip access-group 111 ininterface serial 0ip address 12.1.1.1 255.255.255.252ip inspect protector outip access-group 112 inip access-list 1 permit 209.12.12.0 0.0.0.255ip access-list 111 permit ip any anyip access-list 112 permit icmp any any echo-replyip access-list 112 permit icmp any any time-exceededip access-list 112 permit icmp any any unreachableHere we have used a context-based access control access list. We wouldlike to know how much FTP traffic is in use so the audit trail was enabled.We also defined the protocols we want to inspect with CBAC. Users will havethe ability to ping and trace routes for troubleshooting purposes.SummaryA standard IP access list filters on source IP addresses only. With extendedaccess lists, we have the capability of filtering on source and destinationaddresses along with specific protocols, source, and destination ports. Whenusing named access lists, we create access lists by name instead of number.Lock-and-key access lists offer our first look at enhanced access-listcapability. Lock-and-key are also known as dynamic access lists thatcreate dynamic entries. Traditional access lists do not offer this capability.Remember that with a traditional access list, the entry remains until youdelete it manually. Dynamic access lists create a temporary, specificopening in an access list after a user is authenticated.Reflexive access lists automatically create and delete temporary accesslist entries that will allow traffic associated with an IP session. This offers astronger control over what traffic is allowed into a network.CBAC can be used with multiple applications and provides a higher levelof security than a traditional access list. Here we create dynamic openings inan inbound access list in response to an outbound data connection. Trafficis permitted from untrusted networks to our internal network only whentraffic is part of a session that was initiated from the internal network.https://traloihay.netFAQsQ: You have created your access list, and there seems to be no effect ontraffic entering or exiting the router. What could be the problem?A: After creating the access list globally on the router, you must rememberto apply the access list to an interface and give a direction, inbound oroutbound. The default direction for access lists is outbound.Q: After applying an access list on your enterprise router, there has been adrastic decrease in throughput. What could be a potential problemhere?A: First, recall how an access list works. An access list utilizes “top-down”processing when testing traffic. Typically on an enterprise router, anaccess list can get quite lengthy. A problem here could be that themajority of your traffic is permitted or denied near the end of theaccess list. When creating an access list, it is important to test themajority of your traffic first.Q: A customer wants you to configure an access list that has an openingonly when a user establishes an outbound Telnet session. What type ofaccess list could apply here?A: A reflexive access list would be a good choice. When using reflexiveaccess lists, an entry is created enabling inbound return traffic.Chapter 3Network AddressTranslation (NAT)Solutions in this chapter:■ NAT and NAPT■ Deploying NAT and NAPT in a Network■ Configuring NAT on Cisco IOS■ Examples■ Considerations on NAT and NAPT99IntroductionIn today’s world of Enterprise networks, one of the major problems facingIT professionals is the rapidly depleting supply of legal network addresses.Measures have been taken to slow the rate at which IP addresses are beingallocated; such measures include Classless Inter-Domain Routing (CIDR),Network Address Translation (NAT), and Network Address Port Translation(NAPT or PAT). This chapter will discuss NAT and NAPT and how they cancontribute to a security policy, implications of NAT, and considerationswhen implementing NAT.NAT is a mechanism that can be used to translate the IP addressesinside IP packets. The mechanism is commonly used today to allow a siteusing private IP addresses to acheive connectivity the Internet. NAT oper-ates on a device, usually connecting two networks together, allowing themto communicate. Typically one network uses RFC1918 IP addresses, whichwill be translated into globally unique IP addresses. Other scenarios inwhich NAT can be utilized will be discussed later in this chapter. NAT by itself is not a security measure, and should not be implementedin such a fashion. A common misconception is that NAT will allow a com-pany to “hide” your internal network. That can be an added security ben-efit, but you should not rely on it as the only security measure. A networkusing private IP address space is not reachable from the Internet becausethe Internet routing tables cannot contain such private IP addresses. Ifrouting between the company and the ISP is not done properly, a route tothe company may be leaked throughout the ISP, possibly exposing thecompany’s network to the public.NAT OverviewIn today’s world of technology, different vendors have implementedNetwork Address Translation in their devices. Because there are so manyvendors, dealing with devices from multiple vendors can be confusing.Terms used in one vendor’s documentation may be used differently inanother vendor’s documentation. This section will introduce and clarifyterms used in Network Address Translation using the document RFC2663“IP Network Address Translator (NAT) Terminology and Considerations” asa reference.Overview of NAT DevicesGenerally, NAT is used when a company’s internal addresses are not glob-ally unique and thus cannot be routed on the Internet (for example, usingRFC1918 private addresses), or because two separate networks that needto communicate are using an overlapping IP address space.Network Address Translation (NAT) • Chapter 3 101NAT allows (in most cases) hosts in a private network (inside network)to transparently communicate with destination hosts (outside network) ina global or public network. This is achieved by modifying the sourceaddress portion of an IP packet as it traverses the NAT device. The NATdevice will keep track of each translation (conversation) between the sourcehost (inside network) and destination host (outside network), and viceversa. This means that NAT is a stateful device.Throughout this chapter and in Cisco documentation, the networks willbe described and referred to as being either an inside network or outsidenetwork. An inside network is the set of networks that are subject to trans-lation; all other networks are considered outside networks.One of the variations of NAT is Network Address Port Translation(NAPT). Cisco documentation refers to NAPT as Port Address Translation(PAT). Both of these terms mean the same thing, which will be discussedlater in this chapter. This solution works only if the application does not rely on an IPaddress in the data portion of the packet for functionality. In these cases,Application Layer Gateways included inside the NAT (discussed later) maybe needed to assist a NAT device.The following is a series of terms and their descriptions used whenreferring to NAT. Keep in mind that different vendors may refer to theseterms in varying contexts.Address RealmAn address realm is a network in which the network addresses (IPaddresses) are uniquely assigned to hosts such that traffic can be routedto them. Routing protocols used within the network are responsible forrouting traffic to the destination network. Often referred to as inside andoutside networks, address realms help define zones that are separated andneed to communicate with each other. For example, a company’s internalnetworks can be considered as one address realm. This realm is under asingle administrative authority, which needs to communicate with net-works outside of its authority. These outside networks, which could be theInternet or another company’s network, are also considered an addressrealm. The definition of realm will vary depending on the context in whichit is used. NATThe basic configuration of NAT operates on a device that connects two net-works together; one of these networks (designated as inside) is addressedwith either private RFC1918 or other addresses that need to be convertedinto legal addresses before packets are forwarded to their destination net-work (designated as outside). NAT is a method by which IP addresses are mapped from one addressrealm to another. This type of translation provides transparent routingfrom host to host. There are many variations of address translation thatassist in translating different applications; however, all NAT implementa-tions on various devices should share the following characteristics:■ Transparent address assignment■ Transparent routing through address translation (routing refers toforwarding packets and not exchanging routing information)■ ICMP error packet data translationTransparent Address AssignmentNAT translates addresses from an inside network to addresses in an out-side network and vice versa. This provides transparent routing for thetraffic traversing between both networks. The translation in some casesmay extend to transport-level identifiers such as TCP/UDP ports. Addresstranslation is done at the start of a session; the following describes twotypes of address assignment:Static Address Assignment Static address assignment is a one-to-oneaddress mapping for hosts between an inside network and an outside net-work for the duration of the NAT session. Static address assignmentensures that the translation table is static and not dynamic. Using staticaddress assignment, your internal host is visible from the outside networksince it is always assigned the same global IP address. This can be usefulfor some applications, but care must also be taken to secure that machine.TIPThink of static address assignment as a static IP address that has beenassigned by an administrator to a host. This IP address will never changeunless administrators do so themselves. Dynamic address assignment canbe compared to a DHCP server, which dynamically assigns IP address (aswell as other information) to hosts. DHCP IP address assignment is basedon a lease time, which can also be compared to the duration of a NATtranslation. Once the lease expires, that IP address may be assigned toanother host. Once a dynamic NAT translation to a global IP address isno longer needed, it can be used to translate another inside host to thatglobal IP address.Network Address Translation (NAT) • Chapter 3 103Dynamic Address Assignment Dynamic address assignment is the pro-cess in which hosts are translated by the NAT device dynamically based onusage requirements. Once a NAT is no longer being used, it is terminated.NAT would then free that translation so the global address could be usedin another translation. Transparent RoutingTransparent routing refers to routing traffic between separate addressrealms (inside network to outside network) by modifying address contentsin the IP header so that they will be valid in the address realm into whichthe traffic is routed. A NAT device is placed at the border between twoaddress realms and translates addresses in IP headers so that when thepacket leaves one realm and enters another, it can be routed properly. Typically there are three phases to address translation:Address Binding Address binding is the phase in which an inside IPaddress is associated with an outside address, or vice versa. This assumesthat dynamic NAT is being used and not static NAT. Address binding isfixed with a pool of static addresses to be assigned. These addresses aredynamically assigned on a per-session basis. For example, whenever ahost on the inside network must reach another host on the outside net-work, it will begin a session with that host. A translation will occur on theNAT device associating a global IP address on the outside network with theIP address of the host on the inside network. Once a session is created, alltraffic originating from the same inside host will use the same translation.The start of each new session will result in the creation of a new transla-tion. A NAT device will support many simultaneous sessions; consult thevendor’s documentation for specific information.Address Lookup and Translation Once a translation is established for asession, all packets belonging to the session will be subject to addresslookup and translation. Address Unbinding Address unbinding is the phase in which an insidehost IP address is no longer associated with a global address. NAT will per-form address unbinding when it believes the last session using an addressbinding has terminated. An example of transparent routing is when a company’s inside networkuses the subnet 192.168.1.0/24, and the outside network uses the subnet