[vpn] help!!!

dgillett at deepforest.org dgillett at deepforest.org
Fri Oct 26 04:09:47 EDT 2001


> Why must there be two IP addreses for a firewall ? For a routeur
> also ? 

  A router is a computer that -- besides any other functions it might 
have -- is configured to accept and forward packets for which it is 
not the final destination.
  There's nothing to say that a computer with a single interface 
cannot do this.  However, since in that case every packet *could* 
have been sent directly to its next destination without being handled 
by the router, this case is considered somewhat wasteful and not 
really useful.
  In the more common case, a router will have interfaces on at least 
two networks, and its job will be to pass traffic from one network to 
the other (and, usually, back the other way as well).
  Since those interfaces are on different networks -- and since part 
of any routable address identifies the network on which the address 
resides! -- they must have different addresses.

  A firewall is a gateway (routers that connect multiple networks are 
the most common, but not the only, kind of gateway) between two 
different trust/security domains.  If those domains were on the same 
network/subnet, it would be possible for traffic to flow between the 
domains without being handled by the firewall.  The firewall would 
not be acting as a security boundary in that case.

> 1.	when I configure a router with network translation, what is
> actually " seen " by the outside world (internet) ? As the RFC
> private non routable addresses of the company are translated, is it
> just ONLY the firewall IP public address which is visible to the
> outside world ? What if internal servers are accessible to the
> outside world and dispose of public IP adresses ? Are these IP
> adresses seen as is ? ie with their own publicly affected IP
> addresses to the outside world when they get through the company
> firewall to communicate with another server on internet or is it
> the address of the firewall which is systematically substituded to
> theses adresses and therefore the only visible address seen by the
> outside world ? 

  There are three typical scenarios (simplified):

1. PAT (Port Address Translation)
  When an internal machine initiates a connection to the outside, the 
internal origin address and port number are translated to the 
router's external address and some "random" available port number.  
The router enters this translation in a table, so when a reply is 
received on that port number, it can be forwarded to the inside 
address and port number from which the connection originated.  
Obviously, this has issues for connectionless protocols, but creating 
a temporary mapping with a timeout seems to work reasonably well for 
UDP, for instance.

2. Dynamic NAT
  Similar, but the router has a pool of external addresses available, 
and this makes it easier to (a) preserve the originating port number, 
and/or (b) associate related return traffic with the correct client 
(e.g., the data channel connection in non-PASV FTP).

3. Static NAT
  A given external address is paired with a given internal address.  
This is typically used for externally-visible servers (which, by the 
way, *ought* to be in a separate trust/security domain from other 
internal hosts, called a "DMZ").  To answer your question, such a 
server usually knows itself only by its internal IP address[*], and 
internal clients may refer to it by that address.  OR they may refer 
to it by external address, in which case their traffic must visit the 
router to translate the origin to an external address -- and 
immediately again, to translate the destination to an internal 
address.

[*] Some components may need to know the external address, to deal 
with things like SSL certificates or protocols that embed address 
information in the payload and not just in the headers.  I did say 
this description was simplified....

> 2.	A routeur is itself a sort of firewall for IP filtering right
> ?. But a PC connected to a routeur where a software operates some
> sort of application filtering is also a firewall right ? When I
> read articles on firewall, there aren't mention about what kind of
> firewall is used. Do I sound confuse ? 

  ONE kind of firewall is pretty much a router with packet filtering. 
BUT:
  (a) A router is a traffic-transport device, and tends to default to 
"forward all traffic".  A firewall is a *security* device, and should 
default to  "forward NO traffic".  Also, modern packet-filter 
firewalls do "stateful inspection", checking that inbound traffic is 
part of properly initiated sessions; consumer-grade router packet 
filters may just check the port number against a static list.
  (b) The best generic dfinition of firewall is "a component that 
enforces a security policy".  This can be done in several different 
ways (packet filtering, application proxying), in hardware or in 
software, on an endpoint host or on some intermediate gateway.
  I agree that it is unfortunate that network filter software for PCs 
has been christened by the makers "software firewalls", and even more 
unfortunate that many users shorten this to "firewalls".

> 3.	An ACL on a cisco router allows trafic based on IP source,
> destination, port, protocole addresses as well as trafic
> direction. What does it mean to say that trafic is allowed to
> circulate only from addresse source A to destination address B ? If
> A sends trafic to B, and B replies to A, trafic is necessarily a
> two way issue isn't it ? If the ACL says : only A--> B, then A will
> never ever get replies from B since only unidirectionnel flow is
> permitted. Do I sound silly with this question ? 

  An ACL, once defined, is then applied separately to each direction 
(in or out) on each interface.  So the application of the ACL in your 
example says something like "traffic A->B is allowed to come IN on 
THIS interface".  Traffic B->A should never come IN on THIS interface 
-- if it passes this way at all, it should come in on some other 
interface, and *may* go OUT on this one.  So there should probably be 
a corresponding B->A rule, but because it applies somewhere else, it 
will have to be in a different ACL to be useful.

David Gillett


On 25 Oct 2001, at 10:51, TAN, Raymond wrote:

> 	Hello,
> 
> 	I'm acquainted with firewalls, routers, networking, Network address
> translation, PAT, etc....but really only from an academic point of view from
> readings here and there. I 've no practical experience at all in setting up
> and managing a network be it LAN or WAN. My real problem is therefore "
> seeing " how real equipements are placed. How they are physically connected.
> Why must there be two IP addreses for a firewall ? For a routeur also ?
> etc..etc....Most configurations I see in revues give a schematic
> representation but don't deal with such basic practical questions and it
> doesn't really help me at all. 
> 
> 	Also questions which often crop up like : 
> 1.	when I configure a router with network translation, what is actually
> " seen " by the outside world (internet) ? As the RFC private non routable
> addresses of the company are translated, is it just ONLY the firewall IP
> public address which is visible to the outside world ? What if internal
> servers are accessible to the outside world and dispose of public IP
> adresses ? Are these IP adresses seen as is ? ie with their own publicly
> affected IP addresses to the outside world when they get through the company
> firewall to communicate with another server on internet or is it the address
> of the firewall which is systematically substituded to theses adresses and
> therefore the only visible address seen by the outside world ? 
> 2.	A routeur is itself a sort of firewall for IP filtering right ?. But
> a PC connected to a routeur where a software operates some sort of
> application filtering is also a firewall right ? When I read articles on
> firewall, there aren't mention about what kind of firewall is used. Do I
> sound confuse ? 
> 3.	An ACL on a cisco router allows trafic based on IP source,
> destination, port, protocole addresses as well as trafic direction. What
> does it mean to say that trafic is allowed to circulate only from addresse
> source A to destination address B ? If A sends trafic to B, and B replies to
> A, trafic is necessarily a two way issue isn't it ? If the ACL says : only
> A--> B, then A will never ever get replies from B since only unidirectionnel
> flow is permitted. Do I sound silly with this question ?
> 4.	And so many other questions in this vein : Sendmail, DNS, .....which
> is really fascinating and captivating. But I hope that someone can enlighten
> me on the first three questions.
> 
> 	Sorry about asking these basic questions which probably shouldn't
> figure here. But I'm really at a lost as to where I can find clear practical
> answers to my questions because surfing on the net hasn't really help me
> find the right (non academic) answers. I find a number of sites but maybe I
> didn't open or check up the right ones. I don't know about lists or
> newsgroups where I can subscribe so as to get the " feel " of the whole
> thing.
> 
> 	If anyone has got a tutorial, a short practical guide about all
> that's necessary to put up a LAN, WAN, VPN, etc...or knows about a site with
> good clear concrete examples and explanations, please can you give send me
> the url links ?
> 
> 	I need to know as I'm new on this job and have no way of going
> through a course to help me understand the network issue from a very
> pragmatic point of view.
> 
> 	Thanks a lot in advance for any help given.
> 
> 	RT
> 
> VPN is sponsored by SecurityFocus.com
> 



VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list