CS 4700 / CS 5700 Network Fundamentals

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Network Security Essentials Chapter 11
CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Firewalls and Network Address Translation (NAT) Chapter 7.
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
CS 457 – Lecture 16 Global Internet - BGP Spring 2012.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.
IUT– Network Security Course 1 Network Security Firewalls.
CS 4700 / CS 5700 Network Fundamentals Lecture 13: Middleboxes and NAT (Duct tape for IPv4) Revised 3/9/2013.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
NAT: Network Address Translation local network (e.g., home network) /24 rest of Internet Datagrams.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Middleboxes & Network Appliances EE122 TAs Past and Present.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
CS 5565 Network Architecture and Protocols
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
CS 3214 Computer Systems Godmar Back Lecture 24 Supplementary Material.
1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.
CS 540 Computer Networks II Sandy Wang
Network Layer4-1 DHCP: Dynamic Host Configuration Protocol Goal: allow host to dynamically obtain its IP address from network server when it joins network.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Networking Components Daniel Rosser LTEC Network Hub It is very difficult to find Hubs anymore Hubs sends data from one computer to all other computers.
Security fundamentals Topic 10 Securing the network perimeter.
CS 5565 Network Architecture and Protocols Godmar Back Lecture 14.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Defining Network Infrastructure and Network Security Lesson 8.
CS 3700 Networks and Distributed Systems
Security fundamentals
NAT (Network Address Translation)
Supplementary Material
NAT : Network Address Translation
Network Address Translation
Original slides prepared by Theo Benson
Supplementary Material
Network Address Translation (NAT)
Middleboxes Jennifer Rexford COS 461: Computer Networks
CONNECTING TO THE INTERNET
Network Address Translation
CS 4700 / CS 5700 Network Fundamentals
Computer Data Security & Privacy
CS 3700 Networks and Distributed Systems
Network Address Translation (NAT)
Introducing To Networking
NET323 D: Network Protocols
6.6 Firewalls Packet Filter (=filtering router)
* Essential Network Security Book Slides.
CS 3700 Networks and Distributed Systems
NET323 D: Network Protocols
Firewalls Routers, Switches, Hubs VPNs
دیواره ی آتش.
DHCP and NAT.
Firewalls Chapter 8.
AbbottLink™ - IP Address Overview
CS4470 Computer Networking Protocols
Network Address Translation (NAT)
DHCP: Dynamic Host Configuration Protocol
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

CS 4700 / CS 5700 Network Fundamentals Christo Wilson 8/22/2012 CS 4700 / CS 5700 Network Fundamentals Lecture 13: Middleboxes and NAT (Duct tape for IPv4) Revised 3/28/2015 Defense

Christo Wilson 8/22/2012 Middleboxes Devices in the network that interact with network traffic from the IP layer and up Common functions NAT Firewall and other security Proxy Shaping Filtering Caching … Internet Defense

Outline NAT Other middleboxes

The IPv4 Shortage Problem: consumer ISPs typically only give one IP address per-household Additional IPs cost extra More IPs may not be available Today’s households have more networked devices than ever Laptops and desktops TV, bluray players, game consoles Tablets, smartphones, eReaders How to get all these devices online?

Private IP Networks Idea: create a range of private IPs that are separate from the rest of the network Use the private IPs for internal routing Use a special router to bridge the LAN and the WAN Properties of private IPs Not globally unique Usually taken from non-routable IP ranges (why?) Typical private IP ranges 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255

Private Networks NAT 192.168.0.1 192.168.0.1 Private Network Private 192.168.0.2 192.168.0.2 Internet NAT 192.168.0.0 192.168.0.0 66.31.210.69

Network Address Translation (NAT) NAT allows hosts on a private network to communicate with the Internet Warning: connectivity is not seamless Special router at the boundary of a private network Replaces internal IPs with external IP This is “Network Address Translation” May also replace TCP/UDP port numbers Maintains a table of active flows Outgoing packets initialize a table entry Incoming packets are rewritten based on the table

Basic NAT Operation Private Network Internet 192.168.0.1 66.31.210.69 Source: 192.168.0.1 Dest: 74.125.228.67 Source: 66.31.210.69 Dest: 74.125.228.67 Private Address Public Address 192.168.0.1:2345 74.125.228.67:80 192.168.0.1 66.31.210.69 74.125.228.67 Source: 74.125.228.67 Dest: 192.168.0.1 Source: 74.125.228.67 Dest: 66.31.210.69

Advantages of NATs Allow multiple hosts to share a single public IP Allow migration between ISPs Even if the public IP address changes, you don’t need to reconfigure the machines on the LAN Load balancing Forward traffic from a single public IP to multiple private hosts

Natural Firewall Private Network Internet 192.168.0.1 66.31.210.69 Private Address Public Address 192.168.0.1 66.31.210.69 74.125.228.67 Source: 74.125.228.67 Dest: 66.31.210.69 Source: 74.125.228.67 Dest: 192.168.0.1

Concerns About NAT Performance/scalability issues Per flow state! Modifying IP and Port numbers means NAT must recompute IP and TCP checksums Breaks the layered network abstraction Breaks end-to-end Internet connectivity 192.168.*.* addresses are private Cannot be routed to on the Internet Problem is worse when both hosts are behind NATs What about IPs embedded in data payloads?

Port Forwarding Private Network Internet 192.168.0.1 66.31.210.69 Private Address Public Address 192.168.0.1:7000 *.*.*.*:* 192.168.0.1 66.31.210.69 74.125.228.67 Source: 74.125.228.67:8679 Dest: 192.168.0.1:7000 Source: 74.125.228.67:8679 Dest: 66.31.210.69:7000

Hole Punching Two application-level protocols for hole punching Problem: How to enable connectivity through NATs? NAT 1 NAT 2 192.168.0.2 192.168.0.1 66.31.210.69 59.1.72.13 Two application-level protocols for hole punching STUN TURN

What is my global IP address? STUN Session Traversal Utilities for NAT Use a third-party to echo your global IP address Also used to probe for symmetric NATs/firewalls i.e. are external ports open or closed? What is my global IP address? Please echo my IP address Your IP is 66.31.210.69 192.168.0.1 STUN Server 66.31.210.69

Problems With STUN Only useful in certain situations One peer is behind a symmetric NAT Both peers are behind partial NATs Not useful when both peers are fully behind full NATs NAT 1 NAT 2 192.168.0.2 192.168.0.1 66.31.210.69 59.1.72.13

TURN Traversal Using Relays around NAT NAT 1 NAT 2 192.168.0.2 192.168.0.1 Please connect to me on 66.31.210.69:7000 192.168.0.1:7000 192.168.0.2:7000 66.31.210.69 59.1.72.13 TURN Server

Outline NAT Other middleboxes

Firewall A device that blocks traffic according to a set of rules Why? Services with vulnerabilities turned on by default ISP policy forbidding certain traffic due to ToS Typically specified using a 5-tuple E.g., block outbound SMTP; block inbound SQL server reqs GFC (Great Firewall of China) Known to block based on IP, filter DNS requests, etc

Web caching ISP installs cache near network edge that caches copies of Web pages Why? Performance: Content is closer to clients, TCP will perform better with lower RTTs Cost: “free” for the ISP to serve from inside the network Limitations Much of today’s content is not static (why does this matter?) Content ownership Potential privacy issues Long tail of content popularity

Web caching ISP installs cache near network edge that caches copies of Web pages Why? Performance: Content is closer to clients, TCP will perform better with lower RTTs Cost: “free” for the ISP to serve from inside the network Not cached foo.htm foo.htm Internet foo.htm foo.htm

Proxying Non-split connections Split connections C M S Forward traffic to a different IP/port (like a tunnel) Can be local or remote Split connections Middlebox maintains two flows: C-M and M-S Can be done transparently How? C M S Syn Syn Ack Ack SynAck SynAck

Proxying Advantages Disadvantages C M S RTT is lower on each end Can use different MTUs Particularly useful in cell ntwks Disadvantages Extra delay can be bad for small flows Buffering/state makes it potentially costly C M S Syn Syn Ack Ack SynAck SynAck

Shaping ISPs are often charged according to 95% model Internet usage is very “peaky”, e.g., at 5pm, or when House of Cards season 3 is released To control costs, ISPs such as Rogers shape client traffic Time-of day Traffic type Common implementations Token Bucket (see next deck) RSTs 95% Savings over peak Throughput samples

Shaping in Mobile Networks Check out http://dd.meddle.mobi Android app Uses a VPN as a control Replays real app traffic Key findings ISPs like T-Mobile, Videotron do shaping We also can reveal how they detect apps Can lead to misclassification

Summary Middleboxes are pervasive in today’s networks Pros Cons Security Performance Network engineering Pros Allow the network to provide functionality not provided by IP Can protect the network from client misconfigurations Cons Break the end-to-end model, by operating at layer 3 Can threaten net neutrality One more point of failure

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.