Firewalls and Network Address Translation (NAT) Chapter 7

Highlights Firewalls: To protect against attacks Two types Proxy firewalls Packet-filtering firewalls NAT: To address diminishing pool of IP addresses Popularity of both have surged due to different reasons

Packet-filters popular filters involve undesired IP addresses or options types of ICMP messages various UDP or TCP services, based on the port numbers contained in each packet

Typical Packet-filtering configuration A typical packet-filtering firewall configuration. The firewall acts as an IP router between an “inside” and an “outside” network, and sometimes a third “DMZ” or extranet network, allowing only certain traffic to pass through it. A common configuration allows all traffic to pass from inside to outside but only a small subset of traffic to pass in the reverse direction. When a DMZ is used, only certain services are permitted to be accessed from the Internet.

Protocol Operation The proxy firewall acts as a multihomed Internet host, terminating TCP connections and UDP associations at the application layer. It does not act as a conventional IP router but rather as an ALG (Application Layer Gateway). Individual applications or proxies for each service supported must be enabled for communication to take place through the proxy firewall.

Proxy Firewall Quite secure Brittle and lack of flexibility New apps must have corresponding proxy Apps must have mechanisms to discover proxy

Types of Proxy Firewall HTTP proxy firewalls SOCKs firewalls More generic than HTTP proxy Version 4: basic support Version 5: adds authentication, UDP traversal, and IPv6 addressing Application must be socksified: rewritten to use SOCKS The client uses the SOCKS protocol to request the proxy to perform network connections, and optionally, DNS lookups

NAT: network address translation local network (e.g., home network) /24 rest of Internet datagrams with source or destination in this network have /24 address for source, destination (as usual) all datagrams leaving local network have same single source NAT IP address: ,different source port numbers

Motivation: local network uses just one IP address as far as outside world is concerned: range of addresses not needed from ISP: just one IP address for all devices can change addresses of devices in local network without notifying outside world can change ISP without changing addresses of devices in local network devices inside local net not explicitly addressable, visible by outside world (a security plus) NAT: network address translation

implementation: NAT router must: outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)... remote clients/servers will respond using (NAT IP address, new port #) as destination addr remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table NAT: network address translation

S: , 3345 D: , : host sends datagram to , 80 NAT translation table WAN side addr LAN side addr , , 3345 …… S: , 80 D: , S: , 5001 D: , : NAT router changes datagram source addr from , 3345 to , 5001, updates table S: , 80 D: , : reply arrives dest. address: , : NAT router changes datagram dest addr from , 5001 to , 3345 NAT: network address translation

16-bit port-number field: 65,000+ simultaneous connections with a single LAN-side address! NAT is controversial: routers should only process up to layer 3 violates end-to-end argument NAT possibility must be taken into account by app designers, e.g., P2P applications address shortage should instead be solved by IPv6 NAT: network address translation

NAT traversal problem client wants to connect to server with address server address local to LAN (client can’t use it as destination addr) only one externally visible NATed address: solution1: statically configure NAT to forward incoming connection requests at given port to server e.g., ( , port 2500) always forwarded to port NAT router client ?

NAT traversal problem solution 2: Universal Plug and Play (UPnP) Internet Gateway Device (IGD) Protocol. Allows NATed host to:  learn public IP address ( )  add/remove port mappings (with lease times) i.e., automate static NAT port map configuration NAT router IGD

NAT traversal problem solution 3: relaying (used in Skype) NATed client establishes connection to relay external client connects to relay relay bridges packets between connections client 1. connection to relay initiated by NATed host 2. connection to relay initiated by client 3. relaying established NAT router

Drawbacks of NAT Privately addressed systems are not reachable from outside Runs counter to the fundamental tenet of the Internet Protocols: the “smart edge” and “dumb middle” Modifying transport header requires recomputing transport layer checksum

An Example A NAT isolates private addresses and the systems using them from the Internet. Packets with private addresses are not routed by the Internet directly but instead must be translated as they enter and leave the private network through the NAT router. Internet hosts see traffic as coming from a public IP address of the NAT.

NAT Traditional NAT (just referred to as NAT in the text): Basic NAT: rewrite IP address only (not popular) NAPT: Network Address Port Translation

Basic NAT and NAPT A basic IPv4 NAT (left) rewrites IP addresses from a pool of addresses and leaves port numbers unchanged. NAPT (right), also known as IP masquerading, usually rewrites address to a single address. NAPT must sometimes rewrite port numbers in order to avoid collisions. In this case, the second instance of port number was rewritten to use port number 3000 so that returning traffic for could be distinguished from the traffic returning to

Security via NAT blocks almost all incoming new connection requests inhibits “probing” attacks that attempt to ascertain which IP addresses have active hosts available to exploit NAT (especially NAPT) “hides” the number and configuration of internal addresses from the outside.

NAT and TCP Observe the packet flow (RST, SYN, FIN, ACK) etc. Use TCP state diagram and run appropriate timers to estimate if the connection state needs to be maintained or not Need to account for Keepalive timers: 2 hours Max idle time during setup/teardown: 4 mins

NAT and UDP No special packets (SYN, FIN, RST etc.) Fragmentation into multiple IP packets Port number absent in fragments after the first one

NAT and ICMP Error Messages Usually contain a copy of the packet which has IP header with IP addresses (may need to be changed as well) Informational messages Usually of query/response type Query ID can be used like the port number

NAT and tunneled Packets Need to rewrite header of tunneled packets

NAT and Multicast Outside to Inside No modification to dest IP and port Inside to Outside Modify source IP and port as usual

Address & Port Translation Behavior

Translation and Filtering Behavior NameTranslation BehaviorFiltering Behavior Endpoint-independentX1 ′ :x1 ′ = X2 ′ :x2 ′ for all Y2:y2 (required) Allows any packets for X:x as long as any X1 ′ :x1 ′ exists (recommended for greatest transparency) Address-dependentX1 ′ :x1 ′ = X2 ′ :x2 ′ iff Y1 = Y2Allows packets for X:x from Y1:y1 as long as X has previously contacted Y1 (recommended for more stringent filtering) Address- and port-dependentX1 ′ :x1 ′ = X2 ′ :x2 ′ iff Y1:y1 = Y2:y2 Allows packets for X:x from Y1:y1 as long as X has previously contacted Y1:y1

Hairpinning and NAT Loopback A NAT that implements hairpinning or NAT loopback allows a client to reach a server on the same side of the NAT using the server’s external IP address and port numbers. That is, X1 can reach X2:x2 using the addressing information X2 ′ :x2 ′. X1 is connecting to external address of X2 What is the source address of the packet sent to X2?

NAT Editors What if application layer payload contains IP address and port numbers? FTP What if the application payload length changes TCP numbers every byte NAT Editors need to understand a lot of protocols and their interactions and must have the ability to change the corresponding bits in the packets

Service Provider NAT (SPNAT), Carrier-Grade NAT (CGN) or Large Scale NAT (LSN) Move NATing to the ISPs Functionally similar to NAT

Hole Punching A method that allows multiple devices, each behind NAT to communicate directly using pinholes Clients first connect to a server Server provides external addresses to the clients so that they can directly connect

Does Hole Punching Work? Suppose A and B both connect with server S1 and exchange their external IP addresses ( and ) S1 sends the other clients information to each client Can A and B connect directy? Yes, if the NATs are endpoint-independent No, if the NATs are address dependent OR address and port dependent

UNSAF Unilateral Self-Address Fixing Client/Server based Query server to find my external address But answer depends on who you ask B gets different answers from S1 and S2 Maintaining consistency between NAT topology and the server data is difficult

Session Traversal Utilities for NAT (STUN) A standardized mechanism for realizing the UNSAF concept A set of methods and a network protocol to allow an end host to discover its public IP address if it is located behind a NAT STUN Servers have globally reachable IP addresses Server echoes back requests sent to it in a way that allows clients to find their external addresses

TURN (Traversal Using Relays around NAT) Used as a last resort if two systems are unable to communicate directly E.g., due to address or port dependent NAT bindings Plumbing is done by the TURN server The TURN server provides an address that is used by the clients to communicate It is an extension of STUN

TURN (Traversal Using Relays around NAT)

ICE (Interactive Connectivity Establishment) Generic technique to help applications behind NAT establish connectivity Uses TURN to obtain candidate transport addresses that each agent may use ICE orders the list of pairs of addresses and sends to peer agent Peer agent performs a similar task A set of checks are performed to determine the best pair to use (all pairs may be checked)

Configuring Packet-Filtering Firewalls EXTIF="ext0" INTIF="eth0" LOOPBACK_INTERFACE="lo" ALL=" /0" # matches all # set default filter table policies to drop iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # all local traffic OK iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT iptables -A OUTPUT -i $LOOPBACK_INTERFACE -j ACCEPT # accept incoming DHCP requests on internal interface iptables -A INPUT -i $INTIF -p udp -s \ --sport 67 -d dport 68 -j ACCEPT # drop unusual/suspect TCP traffic with no flags set iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

NAT Rules NAT is called Internet Connection Sharing (ICS): Windows is assigned to the machine running ICS DHCP and DNS servers are started on that machine /24 are assigned to other devices If DHCP/DNS are running and/or /24 is in use, default settings need to be changed NAT is called IP Masquerading: Linux

NAT Rules: A Linux Example EXTIF="ext0" echo "Default FORWARD policy: DROP" iptables -P FORWARD DROP echo "Enabling NAT on $EXTIF for hosts /24" iptables -t nat -A POSTROUTING -o $EXTIF -s /24 \ -j MASQUERADE echo "FORWARD policy: DROP unknown traffic" iptables -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP iptables -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP