CS 4700 / CS 5700 Network Fundamentals

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Network Security Essentials Chapter 11
CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Firewalls and Network Address Translation (NAT) Chapter 7.
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.
CS 4700 / CS 5700 Network Fundamentals Lecture 13: Middleboxes and NAT (Duct tape for IPv4) Revised 3/9/2013.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
NAT: Network Address Translation local network (e.g., home network) /24 rest of Internet Datagrams.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Middleboxes & Network Appliances EE122 TAs Past and Present.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
CS 5565 Network Architecture and Protocols
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
CS 3214 Computer Systems Godmar Back Lecture 24 Supplementary Material.
1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.
Introduction to Network Address Translation
CS 540 Computer Networks II Sandy Wang
Network Layer4-1 DHCP: Dynamic Host Configuration Protocol Goal: allow host to dynamically obtain its IP address from network server when it joins network.
Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Networking Components Daniel Rosser LTEC Network Hub It is very difficult to find Hubs anymore Hubs sends data from one computer to all other computers.
Private Network Addresses IP addresses in a private network can be assigned arbitrarily. – Not registered and not guaranteed to be globally unique Generally,
Security fundamentals Topic 10 Securing the network perimeter.
CS 5565 Network Architecture and Protocols Godmar Back Lecture 14.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Defining Network Infrastructure and Network Security Lesson 8.
CS 3700 Networks and Distributed Systems
Security fundamentals
CS 4700 / CS 5700 Network Fundamentals
NAT (Network Address Translation)
Supplementary Material
NAT : Network Address Translation
Network Address Translation
Original slides prepared by Theo Benson
Supplementary Material
Network Address Translation (NAT)
CONNECTING TO THE INTERNET
Network Address Translation
Computer Data Security & Privacy
CS 3700 Networks and Distributed Systems
Network Address Translation (NAT)
Introducing To Networking
NET323 D: Network Protocols
New Solutions For Scaling The Internet Address Space
* Essential Network Security Book Slides.
EEC-484/584 Computer Networks
CS 3700 Networks and Distributed Systems
NET323 D: Network Protocols
Firewalls Routers, Switches, Hubs VPNs
EEC-484/584 Computer Networks
دیواره ی آتش.
DHCP and NAT.
Firewalls Chapter 8.
AbbottLink™ - IP Address Overview
CS4470 Computer Networking Protocols
Network Address Translation (NAT)
DHCP: Dynamic Host Configuration Protocol
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

CS 4700 / CS 5700 Network Fundamentals Christo Wilson 8/22/2012 CS 4700 / CS 5700 Network Fundamentals Lecture 13: Middleboxes and NAT (Duct tape for IPv4) Revised 3/28/2015 Defense

Christo Wilson 8/22/2012 Middleboxes Devices in the network that interact with network traffic from the IP layer and up Common functions NAT Firewall and other security Proxy Shaping Filtering Caching … Internet Defense

Outline NAT Other middleboxes

The IPv4 Shortage Problem: consumer ISPs typically only give one IP address per-household Additional IPs cost extra More IPs may not be available Today’s households have more networked devices than ever Laptops and desktops TV, bluray players, game consoles Tablets, smartphones, eReaders How to get all these devices online?

Private IP Networks Idea: create a range of private IPs that are separate from the rest of the network Use the private IPs for internal routing Use a special router to bridge the LAN and the WAN Properties of private IPs Not globally unique Usually taken from non-routable IP ranges (why?) Typical private IP ranges 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255

Private Networks NAT 192.168.0.1 192.168.0.1 Private Network Private 192.168.0.2 192.168.0.2 Internet NAT 192.168.0.0 192.168.0.0 66.31.210.69

Network Address Translation (NAT) NAT allows hosts on a private network to communicate with the Internet Warning: connectivity is not seamless Special router at the boundary of a private network Replaces internal IPs with external IP This is “Network Address Translation” May also replace TCP/UDP port numbers Maintains a table of active flows Outgoing packets initialize a table entry Incoming packets are rewritten based on the table

Basic NAT Operation Private Network Internet 192.168.0.1 66.31.210.69 Source: 192.168.0.1 Dest: 74.125.228.67 Source: 66.31.210.69 Dest: 74.125.228.67 Private Address Public Address 192.168.0.1:2345 74.125.228.67:80 192.168.0.1 66.31.210.69 74.125.228.67 Source: 74.125.228.67 Dest: 192.168.0.1 Source: 74.125.228.67 Dest: 66.31.210.69

Advantages of NATs Allow multiple hosts to share a single public IP Allow migration between ISPs Even if the public IP address changes, you don’t need to reconfigure the machines on the LAN Load balancing Forward traffic from a single public IP to multiple private hosts

Natural Firewall Private Network Internet 192.168.0.1 66.31.210.69 Private Address Public Address 192.168.0.1 66.31.210.69 74.125.228.67 Source: 74.125.228.67 Dest: 66.31.210.69 Source: 74.125.228.67 Dest: 192.168.0.1

Concerns About NAT Performance/scalability issues Per flow state! Modifying IP and Port numbers means NAT must recompute IP and TCP checksums Breaks the layered network abstraction Breaks end-to-end Internet connectivity 192.168.*.* addresses are private Cannot be routed to on the Internet Problem is worse when both hosts are behind NATs What about IPs embedded in data payloads?

Port Forwarding Private Network Internet 192.168.0.1 66.31.210.69 Private Address Public Address 192.168.0.1:7000 *.*.*.*:* 192.168.0.1 66.31.210.69 74.125.228.67 Source: 74.125.228.67:8679 Dest: 192.168.0.1:7000 Source: 74.125.228.67:8679 Dest: 66.31.210.69:7000

Hole Punching Two application-level protocols for hole punching Problem: How to enable connectivity through NATs? NAT 1 NAT 2 192.168.0.2 192.168.0.1 66.31.210.69 59.1.72.13 Two application-level protocols for hole punching STUN TURN

What is my global IP address? STUN Session Traversal Utilities for NAT Use a third-party to echo your global IP address Also used to probe for symmetric NATs/firewalls i.e. are external ports open or closed? What is my global IP address? Please echo my IP address Your IP is 66.31.210.69 192.168.0.1 STUN Server 66.31.210.69

Problems With STUN Only useful in certain situations One peer is behind a symmetric NAT Both peers are behind partial NATs Not useful when both peers are fully behind full NATs NAT 1 NAT 2 192.168.0.2 192.168.0.1 66.31.210.69 59.1.72.13

TURN Traversal Using Relays around NAT NAT 1 NAT 2 192.168.0.2 192.168.0.1 Please connect to me on 66.31.210.69:7000 192.168.0.1:7000 192.168.0.2:7000 66.31.210.69 59.1.72.13 TURN Server

Outline NAT Other middleboxes

Firewall A device that blocks traffic according to a set of rules Why? Services with vulnerabilities turned on by default ISP policy forbidding certain traffic due to ToS Typically specified using a 5-tuple E.g., block outbound SMTP; block inbound SQL server reqs GFC (Great Firewall of China) Known to block based on IP, filter DNS requests, etc

Web caching ISP installs cache near network edge that caches copies of Web pages Why? Performance: Content is closer to clients, TCP will perform better with lower RTTs Cost: “free” for the ISP to serve from inside the network Limitations Much of today’s content is not static (why does this matter?) Content ownership Potential privacy issues Long tail of content popularity

Web caching ISP installs cache near network edge that caches copies of Web pages Why? Performance: Content is closer to clients, TCP will perform better with lower RTTs Cost: “free” for the ISP to serve from inside the network Not cached foo.htm foo.htm Internet foo.htm foo.htm

Proxying Non-split connections Split connections C M S Like NAT, but IP address is no longer the one assigned to you Split connections Middlebox maintains two flows: C-M and M-S Can be done transparently How? C M S Syn Syn Ack Ack SynAck SynAck

Proxying Advantages Disadvantages C M S RTT is lower on each end Can use different MTUs Particularly useful in cell ntwks Disadvantages Extra delay can be bad for small flows Buffering/state makes it potentially costly C M S Syn Syn Ack Ack SynAck SynAck

Shaping ISPs are often charged according to 95% model Internet usage is very “peaky”, e.g., at 5pm, or when House of Cards season 3 is released To control costs, ISPs such as Rogers shape client traffic Time-of day Traffic type Common implementations Token Bucket (see next deck) RSTs 95% Savings over peak Throughput samples

Shaping in Mobile Networks Check out http://dd.meddle.mobi Android app Uses a VPN as a control Replays real app traffic Key findings ISPs like T-Mobile, Videotron do shaping We also can reveal how they detect apps Can lead to misclassification

Summary Middleboxes are pervasive in today’s networks Pros Cons Security Performance Network engineering Pros Allow the network to provide functionality not provided by IP Can protect the network from client misconfigurations Cons Break the end-to-end model, by operating at layer 3 Can threaten net neutrality One more point of failure

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.