C #-one of P2P and Nat Technologies

As Internet technology continues to grow exponentially, the allocation of precious network addresses to private networks is finally seen as a waste of valuable virtual real estate. Therefore, the Network Address Translation (NAT) standard is used to leave some IP addresses for repeated use by the dedicated network. This article will show you in detail how to correctly apply the Network Address Translation NAT technology.

I. NAT technology Definition

Nat stands for network address translation, which is an IETF standard that allows an organization to appear on the Internet as an address. Nat converts the addresses of each LAN node into one IP address, and vice versa. It can also be applied to the firewall technology to hide individual IP addresses from external discovery, so that external networks cannot directly access internal network devices. At the same time, it also helps the network to surpass address restrictions, reasonably arrange the use of public and private IP addresses in the network.

Ii. Basic Principles and types of NAT technology

1. Basic principles of NAT technology

NAT technology can help solve the problem of IP address shortage, and isolate internal and external networks to provide certain network security protection. The solution is to use an internal address in the internal network and translate the internal address into a valid IP address on the Internet through NAT, the specific method is to replace the address domain in the IP package with a valid IP address. Nat functions are usually integrated into routers, firewalls, ISDN routers, or individual NAT devices. The NAT device maintains a status table to map illegal IP addresses to valid IP addresses. Each packet is translated into a correct IP address in the NAT device and sent to the next level, which means a certain burden on the processor. However, for a general network, this burden is negligible.

2. Types of NAT technology

There are three types of NAT: static Nat, dynamic address Nat, and network address port translation (napt ). Static Nat is the most simple and easy to implement. Each host in the internal network is permanently mapped to a valid address in the external network. Dynamic Address Nat defines a series of valid addresses in the external network and maps them to the internal network using dynamic allocation. Napt maps internal addresses to different ports of an IP address of an external network. Based on different needs, the three Nat solutions have their own advantages and disadvantages.

Dynamic Address Nat only converts IP addresses. It allocates a temporary external IP address for each internal IP address, which is mainly used for dialing. Dynamic Nat can also be used for frequent remote connections. When a remote user is connected, the dynamic address NAT will assign an IP address to the user. When the user is disconnected, the IP address will be released for future use.

Network Address port translation (napt) is a familiar conversion method. Napt is widely used in access devices. It can hide Small and Medium networks behind a valid IP address. Unlike Dynamic Address Nat, napt maps internal connections to a separate IP address in the external network, and adds a TCP port number selected by the NAT device to the address.

When napt is used in the Internet, all different TCP and UDP information flows seem to come from the same IP address. This advantage is very practical in small office rooms. By applying an IP address from the ISP, multiple connections are connected to the Internet through napt. In fact, many Soho remote access devices support dynamic IP addresses based on PPP. In this way, ISP does not even need to support napt, so that multiple internal IP addresses can share the Internet with one external IP address. Although this will cause certain channel congestion, however, considering the reduced ISP Internet access cost and ease of management, napt is worthwhile.

3. Use NAT technology on the Internet

NAT technology allows all machines in your regional network to go out through a server line to the Internet, and you only need to register an IP address of the server. Before using NAT technology, we must install sockd on the server, and all clients must support sockd to connect to the server. The biggest problem with this method is that only Telnet/FTP/www-browser supports sockd, and other programs cannot be used, and sockd is used slowly. Therefore, we use the network address translation NAT technology, so that the client does not need to make any changes, you only need to set the gateway to the server, and all the programs (such as Kali/Kahn and so on) can be used. The simplest NAT device has two network connections: one is connected to the Internet and the other is connected to the private network. In a private network, a host that uses a private IP address (sometimes referred to as a network 10 Address) is used as a dedicated IP address starting from 10.0.0.0. packets are sent directly to the NAT device to connect to the Internet. Different from a normal router, a NAT device actually modifies the header and changes the source address of the private network to the Internet address of the NAT device, the common router only reads the source address and destination address before forwarding data packets to the destination.

Iv. Security Policies for applying NAT technology

1. Security Issues of application NAT technology

When using NAT, hosts on the Internet seem to communicate directly with the NAT device, rather than the actual host in the private network. The entered packet is sent to the IP address of the NAT device, and the NAT device changes the destination packet header address from its own Internet address to the real destination host's private network address. The result is that, in theory, the only IP address in the world can be connected to several hundred hosts, thousands or even millions of hosts with dedicated addresses. However, this actually has defects. For example, many Internet protocols and applications depend on the real end-to-end network. In this network, data packets are sent from the source address to the destination address without any modification. For example, the IP Security Architecture cannot be used across NAT devices, because the original header containing the original IP source address uses a digital signature. If you change the source address, the digital signature is no longer valid. Nat also brings us management challenges. Although Nat is a good solution for an organization, branch office, or department that lacks enough unique Internet addresses, however, when restructuring, merger, or acquisition requires the integration of two or more private networks, it becomes a serious problem. Even when the organizational structure is stable, the NAT system cannot be nested in multiple layers, resulting in a nightmare of routing.

2. Apply NAT security policies

When we change the IP address of the network, we should carefully consider the impact that this will bring to the existing security mechanisms in the network. For example, the firewall determines whether to pass the packet based on the TCP port number, sink address, source address, and other information contained in the IP header. You can change the firewall filtering rules based on the location of the NAT device, because Nat changes the source or destination address. If a NAT device, such as an internal router, is placed on the firewall-protected side, it will have to change all the security rules responsible for controlling the network traffic behind the NAT device. In many networks, the NAT mechanism is implemented on the firewall. It aims to enable the firewall to provide dual control over network access and address translation. Do not place the NAT device outside the firewall unless you can strictly limit which network connection can be converted to Nat. Any naughty hacker, as long as he can make Nat mistakenly think that his connection request is allowed, can access your network as an authorized user. If an enterprise is at the forefront of network technology and is using IP Security Protocol (IPSec) to construct a virtual private network (VPN), incorrectly placing the NAT device will ruin the plan. In principle, the NAT device should be placed on the protected side of the VPN. because Nat needs to modify the address domain in the IP header, the domain cannot be changed in the IPsec header, this allows you to accurately know which workstation the original message is sent from. If the IP address is changed, the IPSec security mechanism becomes invalid because the source address can be changed, let alone the packet content. In this case, the NAT technology should adopt the following policies in the system:

① Network Address Translation Module

The Nat module is the core part of the system, and only this module is related to the network layer. Therefore, this part should be closely integrated with the network layer processing part of the UNIX system, or directly modify it. This module can be further divided into Packet Exchange sub-module, data packet header replacement sub-module, rule processing sub-module, connection record sub-module and real Address Allocation Sub-module, and transmission layer filter sub-module.

② Centralized access control module

The centralized access control module can be further subdivided into request authentication submodules and connection relay submodules. The request authentication submodule is mainly responsible for the authentication and access control system to exchange various identity authentication information through a trusted security mechanism to identify legitimate users, the subsequent connection form is determined based on the permissions granted to the user in advance. The main function of the connection relay sub-module is to establish a final no-relay connection channel for the user and transmit the authenticated user identity information to the internal server as needed, to complete the authentication process required in the relevant service agreement.

③ Temporary access port table

To distinguish the service objects of data packets and prevent unauthorized exploitation of connections initiated by internal hosts, the gateway registers the temporary port, protocol type, and internal host address used by the internal host in the temporary port usage table. Because the gateway does not know the temporary port that the internal host may use, the temporary port usage table is dynamically generated by the gateway based on the received packets. For inbound data packets, the firewall only allows the data packets that access control table permits or use table registration on temporary ports to pass through.

④ Authentication and Access Control System

The authentication and access control system includes the user authentication module and access control module to control user identity authentication and security policies. The user authentication module uses the challenge/response mechanism in the one-time password authentication technology to implement remote and local user identity authentication, protects valid access and restricts access by illegal users. It uses Telnet and web to meet the application requirements of users in different system environments. The access control module is based on an autonomous access control policy (DAC). It adopts the ACL method and follows the user (group), address (Group), service type, service time, and other access control factors determine whether to authorize access to the user.

⑤ Network Security Monitoring System

As a monitoring process at the system end, the monitoring and intrusion detection system is responsible for accepting all information entering the system, analyzing and classifying information packages, and issuing alarms for possible intrusions in a timely manner; at the same time, if illegal access by legal users and access by illegal users are found, the monitoring system will immediately disconnect the access and perform tracking checks.

⑥ Web-based firewall management system

The management system is mainly responsible for system configuration and monitoring of Network Address Translation module, centralized access control module, authentication and access control system, monitoring system and other modules. It adopts a web-based management mode. Because most of the information involved in the management system is sensitive data information such as user accounts, the security of information should be fully guaranteed, we use Java Applet technology instead of CGI technology, and encryption and other security technologies to ensure the security of user information during information transmission.

Conclusion: Although NAT technology can bring us various benefits, such as removing the need to resell IP addresses, reducing ISP account costs, and providing better load balancing functions, NAT technology poses potential threats to some management and security mechanisms. It depends on how you correctly apply the Network Address Translation NAT technology.

This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/cnming/archive/2009/08/19/4462343.aspx