Dimensión Cognitiva

Figure 1-4 Packet-Inspection Flow Diagram

Packet-inspection firewalls are generally much faster than application firewalls because they are not required to host client applications. Most of the packet-inspection firewalls today also offer very good application or deep-packet inspection. This process allows the firewall to dig into the data portion of the packet and match on protocol compliance, scan for viruses, and so on and still operate very quickly.

Reusing IP Addresses

A feature that is common among all firewalls is Network Address Translation (NAT) and Port Address Translation (PAT) . NAT obfuscates the IP address scheme you are using internally, and the PAT function helps minimize the use of public address space. Figure 1-5 shows how a firewall can be used to provide NAT and/or PAT functionality.

Figure 1-5 IP Address Reuse

Inside Outside

3. Forward packet. 2. Add a session entry.

1. Does the firewall rule-set allow this packet? YES.

5. Forward packet. 4. Is this packet part of an existing session? YES.

Client Web Server

Packet- Inspection

Firewall

Inside Outside

Is the return traffic legitimate?

IP address, port number, HTTP, and so on. Is the outgoing session allowed? Should the traffic use NAT or PAT functionality?

Client Packet- Web Server

Inspection Firewall

NAT

NAT provides the capability to change the source and/or destination IP address. This is common when private address space is used internally. NAT has a one-to-one relationship between inside and outside IP addresses.

Figure 1-6 shows two clients located on the inside of the firewall. Client 1 has an IP address of 192.168.1.2 and Client 2 has an IP address of 192.168.1.3. A NAT pool of addresses has been assigned to the firewall using IP addresses 172.16.1.2 through 172.16.1.254. When Client 1 attempts to connect to the Internet, the firewall has been configured to take an IP address from the pool and change the client’s source address to the address from the pool. Notice that when the connection passes through the firewall, the source address changed from 192.168.1.2 to 172.16.1.2 (the first address in the pool).

When Client 2 establishes a connection through the firewall, it will get the second address from the pool. As you can see, the size of the pool is directly proportional to the number of clients allowed through. When the 255th client attempts to make a connection through the firewall, the pool of addresses will have been completely allocated and the connection will be denied. This problem will be addressed in the next section, “PAT.”

NAT functionality can also be configured statically, called “static” NAT (can you believe it). This feature permanently maps inside to outside or outside to inside addresses. This allows connections from the outside to be established to the inside, using a mapped IP address. Figure 1-6 NAT Inside Outside NAT POOL: 172.16.1.2 — 172.16.1.254 Dest Port: 80 Dest IP: 10.1.1.1 Src Port: 1089* Src IP: 172.16.1.2 Dest Port: 80 Dest IP: 10.1.1.1 Src Port: 1024* Src IP: 192.168.1.2 Dest Port: 80 Dest IP: 10.1.1.1 Src Port: 1090* Src IP: 172.16.1.3 Dest Port: 80 Dest IP: 10.1.1.1 Src Port: 1024* Src IP: 192.168.1.3 Client 1 Client 2 Internet

* Indicates an ephemeral port, which is a temporary port not currently in use. For Windows the ports are 1024 to 4999.

Reusing IP Addresses 15

The use of shared NAT pools conserves valuable public IP address space and also supports applications that aren’t very well behaved and opens random ports for communication. Static NAT will not conserve public IP addresses, but it provides a mechanism for clients on the public network (Internet) to access services that are privately addressed.

PAT

PAT, on the other hand, has a one-to-many IP address relationship. A common

implementation is using a private address space internally but having only one public IP address; this could be the case on your home network. Translations are performed at the transport layer of the OSI model.

Figure 1-7 is similar to Figure 1-6, except that instead of a pool of addresses on the firewall, the firewall has been configured to translate the client addresses to the outside IP address of the firewall.

When Client 1 connects through the firewall, the firewall changes the source address of 192.168.1.2 to 172.16.1.1.

When Client 2 connects through the firewall, the firewall changes the source address from 192.168.1.3 to 172.16.1.1.

Both clients use the same IP address. If you are wondering how the firewall knows where to send the data back to, that is where the source port numbers come into play. The firewall creates a table that maps the appropriate source IP and port numbers to the translated source IP and port number. That way, when traffic returns to the shared outside address of 172.16.1.1, it knows the appropriate destination.

Figure 1-7 PAT

As you can see, PAT gives you much better scalability from an IP usage standpoint, consequently reducing the number of public IP addresses required on the Internet. You will also see in Chapter 4, “Understanding Security Levels,” how PAT can be used by clients to access multiple resources using the same IP address.

Summary

Three basic types of firewalls —packet filtering, application, and packet inspection—are designed to control traffic flows. The previous descriptions provide general functionality of the operation of these types of firewalls. Individual vendors may employ additional features; you should refer to their documentation for specific information.

You might be wondering where the FWSM fits. The FWSM is a packet-inspection firewall with many more bells and whistles that will be explained in the following chapters.

Inside Outside IP Address: 172.16.1.1 Dest Port: 80 Dest IP: 10.1.1.1 Src Port: 1089* Src IP: 172.16.1.1 Dest Port: 80 Dest IP: 10.1.1.1 Src Port: 1024* Src IP: 192.168.1.2 Dest Port: 80 Dest IP: 10.1.1.1 Src Port: 1090* Src IP: 172.16.1.1 Dest Port: 80 Dest IP: 10.1.1.1 Src Port: 1024* Src IP: 192.168.1.3 Client 1 Client 2 Internet

* Indicates an ephemeral port, which is a temporary port not currently in use. For Windows the ports are 1024 to 4999.

C

H A P T E R

2