16.4.0 192.168.200.0PROTECTING PUBLIC SERVERS CONNECTED TO THE INT...
172.16.4.0
192.168.200.0
Protecting Public Servers
Connected to the Internet
Our focus now turns to protecting a public server on the Internet. Even
though the term is “public server,” that doesn’t imply that it has public
access. You want to allow access only to particular applications on the
server and ensure that nothing else is susceptible to a hacker.
Here we have serial interface 0 on our router connected to the Internet,
and Ethernet interface 0 connected to our internal network. We need to
permit our internal users to access the Internet for Web browsing, e-mail,
and FTP. We also want to know how much FTP traffic is in use. The
internal users need to be able to ping and trace route to hosts on the
Internet for troubleshooting purposes. We have no internal servers, so all
services are provided by the ISP. (Please refer back to Figure 2.10 for an
illustration this situation.) Our access list may look as follows:
ip inspect alert-offip inspect name protector ftp audit-trail onip inspect name protector smtpTraffic Filtering on the Cisco IOS • Chapter 2 97ip inspect name protector udpip inspect name protector tcpinterface Ethernet 0ip address 172..22.14.1 255.255.255.0ip access-group 111 ininterface serial 0ip address 12.1.1.1 255.255.255.252ip inspect protector outip access-group 112 inip access-list 1 permit 209.12.12.0 0.0.0.255ip access-list 111 permit ip any anyip access-list 112 permit icmp any any echo-replyip access-list 112 permit icmp any any time-exceededip access-list 112 permit icmp any any unreachableHere we have used a context-based access control access list. We would
like to know how much FTP traffic is in use so the audit trail was enabled.
We also defined the protocols we want to inspect with CBAC. Users will have
the ability to ping and trace routes for troubleshooting purposes.
Summary
A standard IP access list filters on source IP addresses only. With extended
access lists, we have the capability of filtering on source and destination
addresses along with specific protocols, source, and destination ports. When
using named access lists, we create access lists by name instead of number.
Lock-and-key access lists offer our first look at enhanced access-list
capability. Lock-and-key are also known as dynamic access lists that
create dynamic entries. Traditional access lists do not offer this capability.
Remember that with a traditional access list, the entry remains until you
delete it manually. Dynamic access lists create a temporary, specific
opening in an access list after a user is authenticated.
Reflexive access lists automatically create and delete temporary access
list entries that will allow traffic associated with an IP session. This offers a
stronger control over what traffic is allowed into a network.
CBAC can be used with multiple applications and provides a higher level
of security than a traditional access list. Here we create dynamic openings in
an inbound access list in response to an outbound data connection. Traffic
is permitted from untrusted networks to our internal network only when
traffic is part of a session that was initiated from the internal network.
https://traloihay.net
FAQs
Q: You have created your access list, and there seems to be no effect on
traffic entering or exiting the router. What could be the problem?
A: After creating the access list globally on the router, you must remember
to apply the access list to an interface and give a direction, inbound or
outbound. The default direction for access lists is outbound.
Q: After applying an access list on your enterprise router, there has been a
drastic decrease in throughput. What could be a potential problem
here?
A: First, recall how an access list works. An access list utilizes “top-down”
processing when testing traffic. Typically on an enterprise router, an
access list can get quite lengthy. A problem here could be that the
majority of your traffic is permitted or denied near the end of the
access list. When creating an access list, it is important to test the
majority of your traffic first.
Q: A customer wants you to configure an access list that has an opening
only when a user establishes an outbound Telnet session. What type of
access list could apply here?
A: A reflexive access list would be a good choice. When using reflexive
access lists, an entry is created enabling inbound return traffic.
Chapter 3
Network Address
Translation (NAT)
Solutions in this chapter:
■
NAT and NAPT
■
Deploying NAT and NAPT in a Network
■
Configuring NAT on Cisco IOS
■
Examples
■
Considerations on NAT and NAPT
99Introduction
In today’s world of Enterprise networks, one of the major problems facing
IT professionals is the rapidly depleting supply of legal network addresses.
Measures have been taken to slow the rate at which IP addresses are being
allocated; such measures include Classless Inter-Domain Routing (CIDR),
Network Address Translation (NAT), and Network Address Port Translation
(NAPT or PAT). This chapter will discuss NAT and NAPT and how they can
contribute to a security policy, implications of NAT, and considerations
when implementing NAT.
NAT is a mechanism that can be used to translate the IP addresses
inside IP packets. The mechanism is commonly used today to allow a site
using private IP addresses to acheive connectivity the Internet. NAT oper-
ates on a device, usually connecting two networks together, allowing them
to communicate. Typically one network uses RFC1918 IP addresses, which
will be translated into globally unique IP addresses. Other scenarios in
which NAT can be utilized will be discussed later in this chapter.
NAT by itself is not a security measure, and should not be implemented
in such a fashion. A common misconception is that NAT will allow a com-
pany to “hide” your internal network. That can be an added security ben-
efit, but you should not rely on it as the only security measure. A network
using private IP address space is not reachable from the Internet because
the Internet routing tables cannot contain such private IP addresses. If
routing between the company and the ISP is not done properly, a route to
the company may be leaked throughout the ISP, possibly exposing the
company’s network to the public.
NAT Overview
In today’s world of technology, different vendors have implemented
Network Address Translation in their devices. Because there are so many
vendors, dealing with devices from multiple vendors can be confusing.
Terms used in one vendor’s documentation may be used differently in
another vendor’s documentation. This section will introduce and clarify
terms used in Network Address Translation using the document RFC2663
“IP Network Address Translator (NAT) Terminology and Considerations” as
a reference.
Overview of NAT Devices
Generally, NAT is used when a company’s internal addresses are not glob-
ally unique and thus cannot be routed on the Internet (for example, using
RFC1918 private addresses), or because two separate networks that need
to communicate are using an overlapping IP address space.
Network Address Translation (NAT) • Chapter 3 101NAT allows (in most cases) hosts in a private network (inside network)
to transparently communicate with destination hosts (outside network) in
a global or public network. This is achieved by modifying the source
addressportion of an IP packet as it traverses the NAT device. The NAT
device will keep track of each translation (conversation) between the source
host (inside network) and destination host (outside network), and vice
versa. This means that NAT is a stateful device.
Throughout this chapter and in Cisco documentation, the networks will
be described and referred to as being either an inside network or outside
network. An inside network is the set of networks that are subject to trans-
lation; all other networks are considered outside networks.
One of the variations of NAT is Network Address Port Translation
(NAPT). Cisco documentation refers to NAPT as Port Address Translation
(PAT). Both of these terms mean the same thing, which will be discussed
later in this chapter.
This solution works only if the application does not rely on an IP
address in the data portion of the packet for functionality. In these cases,
Application Layer Gateways included inside the NAT (discussed later) may
be needed to assist a NAT device.
The following is a series of terms and their descriptions used when
referring to NAT. Keep in mind that different vendors may refer to these
terms in varying contexts.
Address Realm
An address realm is a network in which the network addresses (IP
addresses) are uniquely assigned to hosts such that traffic can be routed
to them. Routing protocols used within the network are responsible for
routing traffic to the destination network. Often referred to as inside and
outside networks, address realms help define zones that are separated and
need to communicate with each other. For example, a company’s internal
networks can be considered as one address realm. This realm is under a
single administrative authority, which needs to communicate with net-
works outside of its authority. These outside networks, which could be the
Internet or another company’s network, are also considered an address
realm. The definition of realm will vary depending on the context in which
it is used.
NAT
The basic configuration of NAT operates on a device that connects two net-
works together; one of these networks (designated as inside) is addressed
with either private RFC1918 or other addresses that need to be converted
into legal addresses before packets are forwarded to their destination net-
work (designated as outside).
NAT is a method by which IP addresses are mapped from one address
realm to another. This type of translation provides transparent routing
from host to host. There are many variations of address translation that
assist in translating different applications; however, all NAT implementa-
tions on various devices should share the following characteristics:
■
Transparent address assignment
■
Transparent routing through address translation (routing refers to
forwarding packets and not exchanging routing information)
■
ICMP error packet data translation
Transparent Address Assignment
NAT translates addresses from an inside network to addresses in an out-
side network and vice versa. This provides transparent routing for the
traffic traversing between both networks. The translation in some cases
may extend to transport-level identifiers such as TCP/UDP ports. Address
translation is done at the start of a session; the following describes two
types of address assignment:
Static Address AssignmentStatic address assignment is a one-to-one
address mapping for hosts between an inside network and an outside net-
work for the duration of the NAT session. Static address assignment
ensures that the translation table is static and not dynamic. Using static
address assignment, your internal host is visible from the outside network
since it is always assigned the same global IP address. This can be useful
for some applications, but care must also be taken to secure that machine.
TIP
Think of static address assignment as a static IP address that has been
assigned by an administrator to a host. This IP address will never change
unless administrators do so themselves. Dynamic address assignment can
be compared to a DHCP server, which dynamically assigns IP address (as
well as other information) to hosts. DHCP IP address assignment is based
on a lease time, which can also be compared to the duration of a NAT
translation. Once the lease expires, that IP address may be assigned to
another host. Once a dynamic NAT translation to a global IP address is
no longer needed, it can be used to translate another inside host to that
global IP address.
Network Address Translation (NAT) • Chapter 3 103Dynamic Address AssignmentDynamic address assignment is the pro-
cess in which hosts are translated by the NAT device dynamically based on
usage requirements. Once a NAT is no longer being used, it is terminated.
NAT would then free that translation so the global address could be used
in another translation.
Transparent Routing
Transparent routing refers to routing traffic between separate address
realms (inside network to outside network) by modifying address contents
in the IP header so that they will be valid in the address realm into which
the traffic is routed. A NAT device is placed at the border between two
address realms and translates addresses in IP headers so that when the
packet leaves one realm and enters another, it can be routed properly.
Typically there are three phases to address translation:
Address BindingAddress binding is the phase in which an inside IP
address is associated with an outside address, or vice versa. This assumes
that dynamic NAT is being used and not static NAT. Address binding is
fixed with a pool of static addresses to be assigned. These addresses are
dynamically assigned on a per-session basis. For example, whenever a
host on the inside network must reach another host on the outside net-
work, it will begin a session with that host. A translation will occur on the
NAT device associating a global IP address on the outside network with the
IP address of the host on the inside network. Once a session is created, all
traffic originating from the same inside host will use the same translation.
The start of each new session will result in the creation of a new transla-
tion. A NAT device will support many simultaneous sessions; consult the
vendor’s documentation for specific information.
Address Lookup and TranslationOnce a translation is established for a
session, all packets belonging to the session will be subject to address
lookup and translation.
Address UnbindingAddress unbinding is the phase in which an inside
host IP address is no longer associated with a global address. NAT will per-
form address unbinding when it believes the last session using an address
binding has terminated.
An example of transparent routing is when a company’s inside network
uses the subnet 192.168.1.0/24, and the outside network uses the subnet
Bạn đang xem 172. - Syngress Managing Cisco Network Security
![Đáp án tham khảo 172. - Syngress Managing Cisco Network Security](https://www.traloihay.net/traloihay/question/accepted_answers/2022/07_25/62ddfea501581.webp?v=20220420142246)