Presentation is loading. Please wait.

Presentation is loading. Please wait.

DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved.

Published byKate Brock Modified over 9 years ago

Similar presentations

Presentation on theme: "DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved."— Presentation transcript:

1 DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved

2 Topic in NAT NAT behavior and DFL SAT & NAT Do we must has NAT rule between SAT and Allow for LAN SAT Case Study : Things that NAT breaks

3 3 NAT – Source Address Translate INSIDEOUTSIDE Packet1 Source: 2.2.2.2 Destination: 1.1.1.1 Packet1 Source: 192.168.1.100 Destination: 1.1.1.1 192.168.1.100 1.1.1.1 Packet2 Source: 1.1.1.1 Destination: 2.2.2.2 Packet2 Source: 1.1.1.1 Destination: 192.168.1.1 NAT The NAT router replaces the private address of green PC (192.168.1.100) with a Public routable Address (2.2.2.2)

4 DFL – Source Address Translate

5 5 NAT – Destination Address Translate INSIDEOUTSIDE Packet1 Source: 192.168.1.1 Destination: 1.1.1.1 Packet1 Source: 192.168.1.1 Destination: 172.16.90.91 192.168.1.1 1.1.1.1 Packet2 Source: 1.1.1.1 Destination: 2.2.2.2 Packet2 Source: 172.16.90.91 Destination: 192.168.1.1 NAT The NAT router is translating Both the Source and Destination Address in both directions.

6 DFL – Destination Address Translate Orig. Dest.SAT Dest. ---------------------------------------------------------------------------------------- 172.16.90.1 1.1.1.1 172.16.90.2 1.1.1.2 172.16.90.3 1.1.1.3 …. 172.16.90.254 1.1.1.254

7 7 NAT – Dynamic NAT INSIDEOUTSIDE In this NAT design, a pool of public ip addresses serves private addresses 12 times as large. NAT Outside source 1.1.1.1-1.1.1.20 (20 total addresses) Inside source 10.10.10.1-10.10.10.254 (254 total addresses) Internet

8 8 NAT - NAPT INSIDEOUTSIDE Packet1 Source: 2.2.2.2 Source port : 1026 Packet1 Source: 192.168.1.1 Source port : 1026 Inside Packet2 Source: 2.2.2.2 Source port : 3000 Packet2 Source: 192.168.1.101 Source port : 1026 NAT By Translating Both the IP address and associated port, PAT allows Many hosts to simultaneously use a Single Global Address. Outside

9 DFL - NAPT

10 Do we must has NAT rule between SAT and Allow for LAN

11 Do we must has NAT rule between SAT and Allow for LAN?

12

13 LAN user to web server SAT & NAT

14 Do we must has NAT rule between SAT and Allow for LAN? #NameAction Source Int Source Net Destination Int Destination Net ServiceSAT parameter 1SAT_ Web_In SATanyall-netscorewan_iphttp-inSAT_Dest: Websrv_priv_ip 2SAT_ Web_Out SATlanWebsrv_ priv_ip anyall-nets80 > allSAT_Src: wan_ip 3FwdFast_ Web_Out FwdFastlanWebsrv_ priv_ip anyall-nets80 > all 4Fwd_ Web_In FwdFastwan1all-netscorewan_iphttp-in 5NAT_ lan_Web_In NATlanlannetcorewan_iphttp-in

15 Do we must has NAT rule between SAT and Allow for LAN? DFL:/> rules -v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports -- ----- ---------------------- ---------------------- -------------- 1 SAT *:0.0.0.0/0 core:1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 5 2 SAT lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "SAT_webOut" SETSRC 1.2.3.4:80 Use: 4 3 FwdFa lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "Allow_SAT_webOut" Use: 4 4 FwdFa wan1:0.0.0.0/0 core:1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 5 5 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 0 External traffic to Internal web server (SAT & FwdFast)

16 A  (SYN) B A  (SYN,ACK) B A  (ACK) B A  (request GET) B A  (request has succeeded) B A  (FIN,ACK) B A  (ACK) B A  (FIN,ACK) B A  (ACK) B

17 Do we must has NAT rule between SAT and Allow for LAN? DFL:/> rules -v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports -- ----- ---------------------- ---------------------- -------------- 1 SAT *:0.0.0.0/0 core:1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 5 2 SAT lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "SAT_webOut" SETSRC 1.2.3.4:80 Use: 4 3 FwdFa lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "Allow_SAT_webOut" Use: 4 4 FwdFa wan1:0.0.0.0/0 core:1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 5 5 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 0 External traffic to Internal web server (SAT & FwdFast)

18 Do we must has NAT rule between SAT and Allow for LAN? DFL:/> rules –v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports -- ----- ---------------------- ---------------------- -------------- 1 SAT *:0.0.0.0/0 core: 1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 1 2 SAT lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "SAT_webOut" SETSRC 1.2.3.4:80 Use: 0 3 FwdFa lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "Allow_SAT_webOut" Use: 0 4 FwdFa wan1:0.0.0.0/0 core: 1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 0 5 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 1 Internal traffic to Internal web server (SAT & NAT)

19 Case Study : Things that NAT breaks

20 Things that NAT breaks 1)The Protocols cryptographically requires the addresses are unaltered. (e.g. IPSec or Kerberos 4,5) 2)There are embedded IP addresses in the data portion. (e.g. H.323, SNMP, RSVP, FTP…) 3)An application requires pre-set or negotiated source/destination port values. (e.g. Rlogin, TFTP) TFTPRlogin

21 TFTP behaviour 1.Host A sends a "WRQ" to TFTP B with source= A's TID((transfer identifier), destination= 69. 2.TFTP B sends a "ACK" (with block number= 0) to host A with source= B's TID, destination= A's TID. A (A’s TID=2856)  B (p69) A (A’s TID=2856)  B (B’s TID=2566)

22 Rlogin Regulation When a Rlogin request is received. - the sever checks the client? Source port. If the port is not in the range of 512-1023, the server abort the connection.

23 Things that NAT breaks FTP active mode and FTP server is at outside

24 Things that NAT breaks FTP passive mode and FTP server is at inside

25 Things that NAT breaks FTP passive mode and FTP server is at inside with FTP ALG

26 Hands-on NAT ALG and Second IP

27 User Authentication

28 Admin Users User Authentication Type Authentication server Authentication Rule

29 Admin User Treeview: User Authentication => Local User Database Treeview: System => Remote Management`

30 User Authentication Type Authentication User and User Groups PPTP Users and User Groups L2TP Users and User Groups Xauth User IKE ID list

31 Authentication server

32 User Auth Rule Treeview: User Authentication => User Authentication Rule =>Add New

33 Authentication Users and User Groups - Scenario

34 Authentication Users and User Groups – Process flow

35 Hands-on Authentication Users and User Groups Configuration concept –User Database ( local, external) –IP address object (incl. credential) –WebUI before Rules –User Authentication Rule –IP Rule

36 Authentication Users and User Groups – User Database

37 Authentication Users and user Groups – IP address object

38 Authentication Users and user Groups – WebUI before rules

39 Authentication Users and user Groups – User Authentication Rule

40 Authentication Users and user Groups – IP Rule

41

42 Authentication Users and user Groups – VSA (for user credential in RADIUS) IAS configuration 1)IAS must notify firewall that any users that matches this policy belong to the designated “user-group". In the “Edit Profile” of a policy, click on the “advanced tab”. 2)Press “Add” to add a new attribute for VSA. 3)Type 5089 in “Enter Vendor Code”. 4)Click on “Configure Attribute” Enter the attributes.

43 Xauth

44 the exchange of Attribute Payload using ISAKMP message

45 Xauth

46 When using XAUTH agent, there is no need to specify the receiving interface, or source network, as this information is not available at the XAUTH phase. For the reason, only one XAUTH user authentication rule can be defined.

47 Identification List

48 Country State Locality Organization name Organization Unit Common Name Email ASN.1 DN

49 Identification List

50 Hands-on User Authentication

51 PPTP/L2TP

52 Architecture Function Protocol use Authentication Encryption

53 PPTP Protocol involve: control connection: TCP 1723; GRE Tunnel: IP Protocol 47

54 PPTP PPTP extended GRE header

55 55 L2TP

56 L2TP modes

57 L2TP in IP/UDP Encapsulation UDP port 1701

58 L2TP Decapsulation

59 Thing need to be concerned Windows performs L2TP over IPSec by default –Click Start > Run: Type regedit –Double-click HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > RasMan > Parameters. –Double-click ProhibitIPSec: Type 1 in the Value data field, select Hexadecimal as the base value, then click OK. –Reboot.

60 Thing need to be concerned

61

62 62 L2TP over IPSec – Configuration Concept Configuration Concept – Server –User Database (local, external) –IP address object –IPSec tunnel –L2TP tunnel –Authentication –IP Rule

63 L2TP over IPSec – Configuration Concept 1 2 3 1 2 3 2

64 64 PPTP LAN-to-LAN Scenario

65 65 PPTP LAN-to-LAN Configuration Concept Configuration Concept – Server –IP address object –User Database (local, external) –PPTP tunnel (Server) –Authentication –IP Rule

66 66 PPTP LAN-to-LAN Central Office – IP Address Tree view: Objects => Address Book

67 67 PPTP LAN-to-LAN Central Office – User Database Tree view: User Authentication => Local User Database

68 68 PPTP LAN-to-LAN Central Office - Tunnel Tree view: Interfaces => PPTP/L2TP Servers

69 69 PPTP LAN-to-LAN Central Office – User Authentication Rule Tree view: User Authentication => User Authentication Rules

70 70 PPTP LAN-to-LAN Central Office – IP Rule Tree view: Rules => IP Rules

71 71 PPTP LAN-to-LAN Configuration Concept Configuration Concept – Client –IP address –PPTP tunnel (Client) –IP Rule

72 72 PPTP LAN-to-LAN New York - Address Tree view: Objects => Address Book

73 73 PPTP LAN-to-LAN New York – PPTP Client Tree view: Interfaces => PPTP/L2TP Client

74 74 PPTP LAN-to-LAN New York - IPRule Tree view: Rules => IP Rules

75 75 PPTP LAN-to-LAN Done and Activate Configuration Done!!!

76 76 PPTP LAN-to-LAN Verification on CO site

77 Hands on PPTP LAN-to-LAN

78 Trouble Shooting

79 Troubleshooting by Layers 7 - Application 6 - Presentation 5 - Session 4 - Transport 3 – Network 2 – Data Link 1 - Physical

80 Approach

81 Trouble shooting What's in your Tool bag

82 Tool bag – WebUI- Layer1

83 Tool bag – CLI - Layer1 DFL-800:/> ifstat wan1 Iface wan1 Builtin r8139/8129 - Realtek RTL8139 Fast Ethernet Bus 0 Slot 2 IRQ 0 Media : "100BaseTx" Link Status : 100 Mbps full Duplex (autonegotiated) Receive Mode : Undefined MTU : 1500 Link Partner : 10BASE-T, 10BASE-T FD, 100BASE-TX, 100BASE-TX FD IP Address : 10.254.0.180 Hw Address : 0013:463d:876a PBR Membership: main Software Statistics: Soft received : 123117 Soft sent : 175208 Send failures : 0 Dropped : 36 IP Input Errs : 0 Driver information / hardware statistics: IN : packets= 13 bytes= 854 errors= 0 dropped= 0 OUT: packets= 10 bytes= 600 errors= 0 dropped= 0 Collisions : 0 In : Length Errors : 0 In : Overruns : 0 In : CRC Errors : 0 In : Frame Errors : 0 In : FIFO Overruns : 0 In : Packets Missed : 0 Out: Sends Aborted : 0 Out: Carrier Errors : 0 Out: FIFO Underruns : 0 Out: SQE Errors : 0 Out: Late Collisions : 0

84 Tool bag – WEbUI - Layer3

85 Tool bag – CLI - Layer3 DFL-800:/> routes -all -v Flags Network Iface Gateway Local IP Metric ----- ------------------ -------------- --------------- --------------- ------ 127.0.0.1 core (Iface IP) 0 10.254.0.180 core (Iface IP) 0 192.168.120.254 core (Iface IP) 0 172.17.100.254 core (Iface IP) 0 192.168.12.1 core (Iface IP) 0 220.132.138.26 core (Iface IP) 0 192.168.1.0/24 ipsec_t1 90 10.254.0.0/24 wan1 100 192.168.120.0/24 wan2 100 172.17.100.0/24 dmz 100 192.168.12.0/24 lan 100 224.0.0.0/4 core (Iface IP) 0 0.0.0.0/0 ADSL1 90

86 Tool bag – CLI - Layer3 DFL-800:/> ping 168.95.1.1 -srcip=192.168.12.150 -recvif=lan length=1400 - verbose Rule and routing information for ping: PBR selected by rule "iface_member_main" - PBR table "main" allowed by rule "allow_ping-outbound" sent via route "0.0.0.0/0 via ADSL1, no gw" in PBR table "main" Sending 1 1400-byte ping to 168.95.1.1 from 220.132.138.26. Reply from 168.95.1.1 seq=0 time=150 ms TTL=248 Ping Results: Sent: 1, Received:1, Loss: 0%, Avg RTT: 150.0 ms > ping { Dest. ip address } – [ count | length | pbr | recif | srcip | verbose ]

87 Trouble shooting - logging Log is our best friend Log severity default Log reference

88 Trouble shooting - logging

89 Trouble shooting – IPRule set DFL-800:/> rules 1-5 -ruleset=main -v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports -- ----- ---------------------- ---------------------- -------------- 1 Drop lan:192.168.1.0/24 wan1:0.0.0.0/0 "smb-all" "drop_smb-all" Use: 0 2 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "ping-outbound" "allow_ping-outbound" Use: 0 3 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "ftp-passthrough" "allow_ftp-passthrough" Use: 0 4 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "all_tcpudp" "allow_standard" Use: 0 5 Allow lan:192.168.1.0/24 core:192.168.1.1 "ping-inbound" "ping_fw" Use: 1 >rules [range] –[ruleset | schedule | verbose]

90 Trouble Shooting in IPRule Clear counter in >rules –v >connections -close –all >reconfigure >rules -v

91 Trouble Shooting Final Solution Final solution –Problem can not identify –Packet capture between Inside and Outside. –Time accuracy between capture and log

92 Trouble Shooting Final Solution Time Accuracy in DFL

93 Trouble Shooting Final Solution Time Accuracy in DFL

94 Trouble Shooting Final Solution Time Accuracy in DFL >time -sync –force DFL-800:/> Timesync:Clockdrift(-4337s) too high(max +/-600s) -> Clock not updated! DFL-800:/> time -sync -force Attempting to synchronize system time... DFL-800:/> Server time: 2007-06-13 18:08:24 (UTC+08:00) Local time: 2007-06-13 18:05:24 (UTC+08:00) (diff: -180) Local time successfully changed to server time.

95 Trouble Shooting Final Solution Time Accuracy on Traffic analyzer

96 Trouble Shooting Final Solution Time format on Traffic analyzer

97 Trouble Shooting Final Solution Time format on Traffic analyzer

98 Trouble Shooting Final Solution Capture option on Traffic analyzer

99 Trouble Shooting Final Solution

100 END

Download ppt "DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Interconnecting Networks with TCP/IP

Interconnecting Networks with TCP/IP
©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.
IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.

IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved.

2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright All rights reserved.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.

Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Subnetting.

Subnetting.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google