Practical skills using IPSec to arm NAT services

Welcome to the network technology community forum and interact with 2 million technical staff to access the NAT technology. Through port ing or address ing, external users can access internal application servers of the enterprise; you can also hide the internal computer to enhance its security. No matter which function, the NAT server uses the address and port information of the packet header.

Welcome to the network technology community forum and interact with 2 million technical staff> you can access the NAT technology through port ing or address ing to allow external users to access internal application servers of the enterprise; you can also hide the internal computer to enhance its security. No matter which function, the NAT server uses the address and port information of the packet header.

Welcome to the network technology community forum and interact with 2 million technical staff> enter

NAT technology allows external users to access internal application servers through port ing or address ing. It can also hide internal computers to enhance their security. No matter which function, the NAT server uses the IP address and port information of the packet header. That is, when data packets are transmitted from the enterprise intranet through the NAT server to the Internet, the NAT server will change the information in the packet header. The Intranet IP address is changed to the public IP address of the NAT server.

However, if the network administrator wants to use the IPSec technology to enhance the security of the NAT technology at the same time, problems may occur. Because the IPSec host escort checks the packet header information. If the packet header information is modified, IPSec considers the packet has been tampered with and discarded. That is to say, the IPSec security technology is not allowed to change the packet header.

　I. Description of problems that may occur when using IPSec to arm the NAT service

IPSec mainly uses two security measures: AH (transmission mode) and ESP (tunnel mode. In transmission mode, the transmitted information is signed. This information signature is mainly used to confirm that the received information has not been tampered with. Therefore, the receiver can confirm that the information was indeed sent by the computer requesting communication, this prevents spoofing attacks and illegal modification of information during transmission. The same as the transmission mode, the tunnel mode also signs the information to be transmitted. However, he is very different from the tunnel mode, that is, the tunnel mode encrypts information. However, the transmission mode does not encrypt the information. However, no matter which method is used, IPSec cannot change the packet header during transmission.

For example, in transmission mode, IPSec will sign the entire data packet. That is to say, any changes to the data packet during transmission will affect the signature information of the data packet. Therefore, if the NAT server changes the IP address or port information in the packet, the IPSec server will deem the packet as being tampered with illegally, and discard the packet as invalid.

For example, in ESP transmission or tunnel mode, although the original IP Address Header in ESP transmission mode or the new tunnel mode in ESP transmission mode is still the same, it is not signed or encrypted by the IPSec Technology. However, the port information in the data packet is encrypted, so the NAT server cannot read it. Therefore, although the NAT server can change the Client IP address in transmission mode or the IP address of the endpoint computer in tunneling mode, it cannot change the port Information encrypted by IPSec Technology. Therefore, the NAT server will be useless at this time.

Although all network devices, such as routers or switches, between communication computers forward encrypted data packets to their destinations. However, if the transmission path contains a firewall, a security router, or a proxy server, it may not forward encrypted data packets through the IPSec Technology. You must configure these devices to allow IPSec packets to pass through. If the IPSec data packet is not encrypted (AH mode is used, only the signature is not encrypted), the firewall or security router can still check the port or other content in the data packet. If the content of these packets is modified after being sent out, the receiving computer will detect such changes and discard these packets.

[1] [2] [3]