Cisco Certified Network Professional Security(资深网络安全工程师)-Address Translation.ppt

address translation,protocol and application issues(一),applications with multiple connections,protocol and application issues（二）,applications and embedded addressing information,protocol and application issues（三）,applications and security issues,tcp connection example,tcp connection example,parts 1 and 2 the appliance compares packet information against the existing connections to the state table to determine if the packet is new or part of an existing connection. since it is a new connection, it wont be found. the appliance then looks for an acl applied in-bound in the interface. if one exists, the packet must match a permit statement in the list of statements to be allowed. if the packet is allowed, the appliance then compares the packet header information with the existing translation entries in the translation table to see if an existing transla-tion can be used, or if a new one needs to be created. ill assume, however, that this is the first time the source has sent a packet through the appliance, so no existing translation entries in the xlate table will match.,tcp connection example,parts 1 and 2 next the appliance compares the information in the packet header with the config-ured translation policiesstatic and dynamicfor a match. if a match is not found, then the packet is dropped. if a match is found, a translation entry is built and added to the xlate table, the tcp sequence number is randomized, and the tcp connection is added o the conn table. the appliance then increments the embryonic connection counter. an embryonic con-nection is a half-open connection: it hasnt gone through the three-way handshake. the appliance keeps track of this kind of information to limit the effectiveness of tcp syn flood attacks. if the limit is exceeded, the appliance will implement its tcp intercept feature, discussed later in the chapter. the two idle timers are then started for the con-nection in the conn and xlate tables respectively.,tcp connection example,parts 3 and 4 once the destination receives the packet, it responds back with a tcp syn/ack re-sponse . upon receiving the packet, the appliance compares the header information with the conn table to find a match; in this case, since the source initi-ated the connection in part 1, the connection is in the table. the appliance then validates the idle timer to ensure that the entry in the state table hasnt expired: if the entry has expired, it is removed from the conn table and the packet is dropped. if there wasnt a match in the conn table or the entry had timed out, then the acl on the interface would be used to validate whether the packet was allowed inbound to the inside interface. therefore, the appliance then undoes the randomization of the acknowledgment number. this is the sequence number randomization (snr) feature at work, which is used to defeat ses-sion hijacking attacks.,tcp connection example,tcp connection example,parts 5 and 6 in part 5, the source completes the three-way handshake by sending a tcp ack, shown in figure 5-5. the appliance first compares packet information to the existing connections to the state table to determine if the packet is a new or part of an existing connection. since it is an existing connection, it should be in the state table. if you examine the outside network column above part 2, this shows the packet header as it leaves the appliance. notice that the source address was changed because of a match on the configured translation policy, and the tcp sequence number was ran-domized. the corresponding idle timers in the conn and state tables are reset, and the packet is forwarded to the destination, shown in part 6.again, the appliance keeps track of the packets for the connection and updates the conn table appropriately. if no packets are seen for the duration of the idle timer or the connection is torn down by the source or destination, the entry is removed from the conn table.,address translation overview,address translation overview,private addresses,address translation overview,needs for address translation: you are merging two networks that have an overlapping address space. you need to make it appear that the overlapping network numbers are unique to the two different sides. your isp has assigned you a very small number of public addresses, and you need to provide many of your devices access to the internet. you were assigned a public address space by your isp, and when you change isps, your new isp will not support your currently assigned address space. you have critical services on a single device, and you need to duplicate these resources across many devices. however, you need to make it appear that all of the devices that contain these resources appear as a single entity.,address translation overview,disadvantages of address translation: first, when address translation is performed by your address translation device (like the cisco security appliances), it will have to change the ip addresses in the ip packet header and possibly even the port numbers in tcp or udp segment headers. because of this, the address translation device will have to perform additional processing not only to handle the translation process, but also to compute new checksums for the packets. another problem that address translation introduces deals with troubleshooting net-work problems. because address translation changes the source and/or destination ip addresses in the packet headers, it becomes more difficult to troubleshoot network prob-lems. when you examine the addresses in the packet header, you dont know whether you are dealing with the addresses that these machines have assigned on them, or with the addresses that they have been translated to by an address translation device.,advantages of address translation,nat example,physical e0/0 e0/1,logical outside inside,security level 0 100,appliance 192.168.1.1/24,192.168.1.0/24,200.1.1.1,e0/0,e0/1,inside network,internet,figure5-8. the user sends a packet to a destination with a private address in it.,192.168.1.6,translation device,201.201.201.2,internet,192.168.1.5,nat example,pat example,pat example,pat example,address translation configuration,simple nat example,ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 1 192.168.3.0 255.255.255.0 ciscoasa(config)# global (outside) 1 200.200.200.1-200.200.200.125 netmask 255.255.255.128 ciscoasa(config)# nat (inside) 2 192.168.4.0 255.255.255.0 ciscoasa(config)# global (outside) 2 200.200.200.126 netmask 255.255.255.255,nat,pat,address translation configuration,pat and identity nat example,ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 0 200.200.200.128 255.255.255.128 ciscoasa(config)# nat (inside) 1 192.168.3.0 255.255.255.0 50 25 ciscoasa(config)# global (outside) 1 200.200.200.1 netmask,255.255.255.255,address translation configuration,three-interface nat example,ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0 ciscoasa(config)# nat (dmz) 1 192.168.5.0 255.255.255.0 ciscoasa(config)# global (outside) 1 200.200.200.10-200.200.200.254 netmask 255.255.255.0 ciscoasa(config)# global (dmz) 1 192.168.5.10-192.168.5.254 netmask 255.255.255.0,heres a breakdown of the address translation policies: inside-to-dmz inside-to-outside dmz-to-outside (no dmz-to-dmz),address translation configuration,policy nat example,ciscoasa(config)# access-list site_a permit tcp 10.0.1.0 255.255.255.0 host 172.16.10.1 ciscoasa(config)# nat (inside) 100 access-list site_a ciscoasa(config)# global (outside) 100 172.16.1.100 netmask 255.255.255.255 ciscoasa(config)# access-list site_b permit tcp 10.0.1.0 255.255.255.0 host 172.17.10.2 ciscoasa(config)# nat (inside) 101 access-list site_b ciscoasa(config)# global (outside) 101 172.17.1.88 netmask 255.255.255.255,address translation configuration,soho(config)# access-list vpn-exempt-nat permit ip 10.100.10.0 255.255.255.0 10.10.0.0 255.255.0.0 soho(config)# nat-control soho(config)# nat (inside) 0 access-list vpn-exempt-nat soho(config)# nat (inside) 1 10.100.0.0 255.255.0.0 soho(config)# global (outside) 1 interface,in the preceding example, the following translation policies are configured: when traffic goes across the site-to-site vpn tunnel to the corporate office, it should not be translated: the access-list and nat (inside) 0 commands implement this policy. when traffic goes from the soho to the internet locations, it will be translated using pat: the nat (inside) 1 and global (outside) 1 commands implement this policy.,policy identity nat example,address translation configuration,static nat example,ciscoasa(config)# nat-control ciscoasa(config)# static (dmz,outside) 200.200.200.1 192.168.5.2 netmask 255.255.255.255 ciscoasa(config)# static (dmz,outside) 200.200.200.2 192.168.5.3 netmask 255.255.255.255 ciscoasa(config)# static (inside,outside) 200.200.200.3 192.168.4.1 netmask 255.255.255.255 ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0 ciscoasa(config)# global (outside) 1 200.200.200.10-200.200.200.254 netmask 255.255.255.0 ciscoasa(config)# global (dmz) 1 192.168.5.10-192.168.5.254 netmask 255.255.255.0,to create a static nat translation, use the following command: ciscoasa(config)# static (local_if_name,global_if_name) global_ip_addr local_ip_addr netmask subnet_mask tcp max_conns embryonic_conn_limit udp max_conns dns norandomseq,address translation configuration,static pat example,ciscoasa(config)# static (inside,outside) tcp interface 80 192.168.1.20 80 netmask 255.255.255.255,in this example, web traffic sent to port 80 to the ip address on the outside interface of the appliance will be redirected to 192.168.1.20 on port 80 of the inside interface.,finding a matching translation policy,when looking for a matching transla-tion policy, the appliance goes through the following steps: 1. the appliance looks for an existing translation in the translation table; sometimes cisco will refer to this as trying to find a “matching xlate slot” in the translation table. 2. if no entry exists in the translation table, the appliance looks for address translation exceptions in the nat 0 commands on a best-match basis. 3. if there are no matches on the identity nat commands, the appliance will try to find a match against the configured static nat commands based on a best-match basis. 4. if there are no matches on the static nat commands, the appliance will try to find a match against the configured static pat (par) policies on a best-match basis. 5. if no match is found within the par translation policies, the appliance then looks for a match in its policy nat and global commands with a corresponding acl. 6. if there is not a match on a policy translation configuration, the appliance then looks for a match in its normal nat and global commands. 7. if a translation or translation policy doesnt exist for the packet, the appliance will drop the packet if nat control is enabled; if nat control is not enabled, then the packet is not translated, but can flow through the appliance, assuming other appliance policies allow it.,the original tcp intercept/ tcp intercept with syn cookies,to prevent an attacker from filling the conn table with half-open tcp connections, cisco enhanced the tcp intercept feature with tcp syn cookies in version 6.2. instead of proxy-ing the half-open tcp connections and main